conejota - Fotolia
Nissan acts on Leaf car app security flaw after researcher goes public
Nissan suspends its electric car app after a researcher went public about a security flaw that could enable attackers to take control of heating systems
Nissan has suspended its NissanConnect mobile app a day after a security researcher went public about its security vulnerabilities, but a month after he alerted the car maker.
When Nissan failed to respond to Troy Hunt’s warnings, and he discovered others were discussing the security vulnerabilities, he published a blog on his findings.
Working with a Nissan Leaf owner in the UK, Hunt was able to connect to his collaborator’s NissanConnect account through a web browser from Australia.
Hunt was then able to turn on the seat and steering wheel heating and the air-conditioning systems remotely, as well as find the owner’s registered username and distances for recent journeys.
This was possible because the NissanConnect app only required the vehicle identification number (VIN) for access, which meant access was not restricted to a car’s owner.
VINs are usually stencilled on a car window and normally differ in the last five digits – which means attackers could write a script to go through all possible combinations.
Nissan immediately came under fire from security experts because of its failure to include any mechanism to authenticate the user as the car’s owner.
Most commentators urged Nissan to suspend the app until a fix is available, which the company has now done.
Read more about connected cars
- Automotive market research specialist JD Power warns that car manufacturers are wasting money on connected car technologies that most people don’t use.
- Juniper Research study finds integrated in-vehicle connectivity and apps will become standard in new cars by the end of 2018.
- Audi drivers will be able to buy in-car connectivity through an MVNO agreement spanning 13 European countries.
“We’re looking forward to launching updated versions of our apps soon,” Nissan said in a statement.
The car make said that while the app was unavailable, no other “critical driving elements” were affected in the Leaf car and eNV200 electric van models.
“Drivers worldwide can continue to use their cars safely and with total confidence,” Nissan said, adding that it has sold more than 200,000 Leaf electric vehicles since 2010.
Security ‘cannot be an afterthought’
Nissan initially defended its inaction, saying the security flaw did not represent a safety risk because no critical functions could be accessed.
But Hunt pointed out that not only could attackers potentially disable Leaf cars by turning on the heating and ventilation systems to drain the battery, but could also use driving logs to track owners.
“As car manufacturers rush towards joining in on the internet of things craze, security cannot be an afterthought, nor something we’re told they take seriously after realising they didn’t take it seriously enough in the first place,” he wrote in a blog post.
Hunt and others also expressed concerns that if the app or car system developer were to add app features – such as remote door unlocking or remote engine disablement – and assumed the app itself was safe and secure, then there could be serious implications. These could include the theft of a car or its contents, or even an accident.
Secure application development
Most commentators said car manufacturers in general should apply the tried and trusted principles for secure application development.
Craig Young, security researcher at Tripwire, said that it is likely there will be many more privacy and security-related issues as connected car technology is still in its infancy.
“Generally speaking any service – but especially services pertaining to connected cars – should not be authenticated based on non-private data,” he said.
According to Young, instead of the VIN, Nissan should have provided an authentication token for car owners to log-in and use as an access control, to prove the client is authorised to perform actions on a particular vehicle.