Insecure APIs allow anyone to mess with Nissan LEAF electric car

A vulnerability in the mobile app used to interact with Nissan LEAF, a popular electric car, can be exploited by remote, unauthenticated attackers to switch the car’s AC and heating system on and off, but also to extract details about the owner’s journeys, security researcher Troy Hunt has demonstrated.

Nissan LEAF

The weakness rests in the fact that the app interacts with the car via APIs that require no authentication to be accessed, and can therefore be accessed by anyone with an Internet connection, even via a web browser. The app’s queries and commands are sent via the company’s servers.

The only thing that the attacker must know to target a specific car is that car’s Vehicle Identification Number (VIN), which is prominently displayed on the car’s windscreen. An attacker could also target random cars by discovering their VINs through a simple enumeration process.

So far, the dangers related the existence of this flaw – it has yet to be patched – are not that high. A LEAF user could end up with an unexpectedly drained battery, or an attacker could gain some insight into his or her daily movements. Luckily, the APIs can’t be used to mess with the car’s breakes, steering wheel or doors.

But as the app’s capabilities are set to be expanded, this is a problem that needs to be solved, and fast.

Hunt, who was first alerted to the vulnerability by one of the attendees of one of his workshops, has asked fellow security researcher Scott Helme to help with a demonstration of the attack (Helme owns a Nissan LEAF):

Once they found out for sure it can be done, he reported the flaw to the carmaker on January 23. In the meantime, he came to learn that the flaw was independently discovered by a number of individuals around the world, and is being publicly discussed on at least one online forum.

This is what prompted him to share details about the flaw with the public (after carefully omitting certain info), even though Nissan is yet to come up with a fix.

“As car manufacturers rush towards joining in on the ‘Internet of Things’ craze, security cannot be an afterthought nor something we’re told they take seriously after realising that they didn’t take it seriously enough in the first place,” Hunt pointed out.

“In my view, this is the sort of flaw that needs to have the service pulled until it can be fixed properly and restored; it’s not a critical feature of the vehicle yet it has the potential to impact its physical function and there’s the privacy risk as well.”

Until Nissan pushed out a fix, LEAF owners can temporarily disable Nissan’s CarWings telematics service by login into it from a browser, selecting “Configuration” from the menu and pressing the “Remove CarWings” button.

“While cloud connected car technology is in its infancy, it is likely that we will continue to hear about privacy and security related issues,” commented Craig Young, a security researcher at Tripwire.

“Generally speaking any service (but especially services pertaining to connected cars) should not be authenticated based on non-private data. For example, with a service like this, it would be better to have an authentication token provided to clients upon login and then used as an access control to prove that the client is authorized to perform actions on that VIN,” he pointed out.

“I would recommend that Nissan consider implementing a 2-factor authentication for added protection. This could be as simple as having a more involved first time setup in which mobile devices are issued a device token which will subsequently be sent along with a username and password when connecting to the service.”

UPDATE:

Nissan has temporarily disabled the vulnerable app. LEAF owners can continue to use their cars safely, the company said, because all the functions controlled by the app can also be controlled manually by the driver.