UPDATE: Nissan LEAF Vulnerable To Hacking (w/video)

2 years ago by Steven Loveday 44

Nissan LEAF

Nissan LEAF

Cybersecurity researcher, Troy Hunt, discovered that the Nissan LEAF can be easily hacked.

Nissan LEAF App

Nissan LEAF App

Hunt contacted Nissan and says he gave the automaker a month to fix the problem before he went public. The vulnerability apparently wasn’t fixed within that timeframe, so Hunt went public with the details of the hack earlier today.

UPDATE: Nissan has disabled the app due to this vulnerability. The automaker will work to fix the issue in as timely a manner as possible.

The issue is due to a security problem with the NissanConnect app. It only affects those who have signed up for a Nissan CarWings account. Hunt believes:

“The right thing to do at the moment would be for Nissan to turn it off altogether. They are going to have to let customers know. And to be honest, a fix would not be hard to do. It’s not that they have done authorization [on the app] badly, they just haven’t done it at all, which is bizarre.”

The NissanConnect app only needs the VIN number to take control. This number is on the vehicle in plain view. The hack allows an outside user to control vehicles features such as heat and AC from the app or even a web browser. Also, stored information about recent trips is accessible.

Hunt tested the hack with a friend, Scott Helme, who owns a LEAF. Scott explains:

“I was sat in the vehicle with everything powered off and didn’t have my key on me. So, the vehicle was as it would be if it was completely unattended. As I was talking to Troy on Skype, he pasted the web address into his browser and then maybe 10 seconds later I heard an internal beep in the car. The heated seat then turned on, the heated steering wheel turned on. And I could hear the fans spin up and the air-conditioning unit turn on.”

Fortunately, testing proved that the hack would not work once the car was being driven and that vital vehicle controls (accelerator, brakes, etc.) could not be hacked. Helme unregistered his Nissan app and Hunt lost communication with the vehicle.

Hunt said that since the app communicates through Nissan’s computer servers, the company could easily suspend it.
He concluded:

“Unfortunately what we are seeing is just another case of security being important after a problem is discovered.”

For much more detailed information from the “hacker” himself, check out TroyHunt.com

Source: BBC, hat tip to Bill R!

Tags: , , , , ,

44 responses to "UPDATE: Nissan LEAF Vulnerable To Hacking (w/video)"

  1. bro1999 says:

    Some Leaf owner piss you off? Just hack into his account and turn on his HVAC full blast until his battery is dead! haha

  2. Zukidrvr says:

    That would take a very long time. The app is very slow to respond (if at all) and the climate control only function is limited to 15 minutes. The perpetrator would get bored fast. The victim would have a comfortable car, as all of the climate controls have conservative temperature limits.

    Not much to see here.

    1. Leptoquark says:

      The new NissanConnect app is much slower for me too than the native Leaf app Nissan used to have (the blue and yellow one). What used to load in about 20 seconds now takes about 90. The app is a real pain to use now.

      Maybe the hackers could improve the speed?

      1. kdawg says:

        That’s actually why it was originally being hacked; to improve it.

    2. Denis Perron says:

      And the car doesn’t start the clim off the battery is too low.

    3. Djoni says:

      Never mind the hacker, I got bored of using it and I am a legal owners.
      It’s slow, counter intuitive and need to be refresh any time you get in. If you can get in at all.
      Obviously, they put much less effort into the app than the car.

  3. Ocean Railroader says:

    I told you guys so that some fat guy in their basement named TJ could hack your cars and have a field day joy riding them.

    This is why I want a car that has no apps or internet hook ups when I drive it.

    1. krona2k says:

      That’s not what happened though. They can turn the heater on and start/stop charging.

      I mean it’s ridiculous that there’s no auth done on the server side but this isn’t taking control of critical car functions.

      1. Aaron says:

        They can only start, not stop, charging with this API.

      2. kdawg says:

        They can also get user data, including daily trip data.

    2. martinwinlow says:

      “Wahhhhhhhhhhh!!!! We’re all doomed, DOOMED I tell ye!”

      Whatever….. MW

  4. Motarra says:

    With their mediocre app design, buggy implementation and painful network/database latency Nissan missed an enormous opportunity to further differentiate the Leaf. Perhaps it’s unfair for me to judge without comparing to Tesla and other OEM apps. However the Leaf app is so underwhelming that I didn’t bother to bring it over to my new phone a year ago. The only thing I miss is being able to pre-cool the car down on a 100F+ day, and even that was painful and annoying to accomplish.

    It’s hard to believe the same company that produced the Leaf (a company and a car that deserve far more credit for the evolution of transportation than they get), also produced the Leaf app. If I were Ghosn I would have fired someone by now and started over with an outside firm.

    1. Brian says:

      You make valid points, but FWIW, VW uses an outside firm for their “CarNet” app. From what I have read, it is even worse than Nissan Connect EV (formerly CarWings)

    2. TP says:

      I would bet good money that Nissan outsourced the app. The old app, which was faster, was rarely updated and I have only seen one update to the new app since it launched last October.

      To be fair to the app, the speed issues might be the cloud network it is working on. I seem to recall seeing that Nissan was partnering with Microsoft Azure cloud service for this and other connected services. I do not know if everything has been migrated to that stack yet. There is also the issue of the cars using Edge network services in the US, which AT&T is shutting down at the end of this year.

  5. Kaleb says:

    I use the Nissan app daily. It’s a little slow but otherwise does a fine job of telling me the state of charge, it automatically texts me when my car is done charging so I can move it out of a charging spot so others can charge, and the remote climate control is wonderful on hot/cold days. As someone else pointed out, the climate control does not run for very long when on battery power, so this “hack” would do nothing more than make the car a more comfortable temperature inside and maybe use 0.25% of the battery. Big deal.

    1. Brian says:

      On a cold day, my car will pull 6kW to preheat for 15 minutes. That’s 1.5kWh, far more than 0.25% of the battery. And it will pull that every time it is started. So it wouldn’t take many iterations to leave someone stranded.

      Maybe I should un-register my car.

      1. Aaron says:

        That is the safest choice.

    2. Motarra says:

      “it’s a little slow”…NASA can send commands to a rover on Mars faster than Nissan to my Leaf. I dare you to go ahead and fact check that 🙂

      Hint: depends on how far Mars is from Earth…sometimes it’s really “close” and sometimes it’s far far away.

  6. Anthony says:

    Standard IT Security practice is 60-90 days from reporting the vulnerability and it being acknowledged by the vendor to releasing it publicly. 30 days is way too fast, and it was inappropriate of Troy to release the vulnerability.

    1. Klaus says:

      Agreed. I don’t like the security hole and it should be fixed, but 30 days is too short.

    2. David S. says:

      It was already publicly known since December

    3. Bret says:

      It seems to me that Nissan should have offered Troy a bit of money to program better authentication into the app.

      Problem solved in less than 30 days.

  7. SparkEV says:

    All these connected car stuff is just inviting problems. They should make them all optional (ie, take $ off price). I wouldn’t want any of them built into the car, and wouldn’t want to pay for the hardware even if not enabled.

    1. krona2k says:

      No. Security can be done right. You’re using the internet and presumably not worrying about anyone taking control of your critical data, bank accounts etc.

      The legacy car companies will eventually learn how to do this stuff properly. The very first thing to do is to have OTA updates, which Tesla was smart enough to do from day one, then even if there is a problem it can be fairly easily fixed.

      1. SparkEV says:

        I do worry about people taking control of my computer and bank account. That’s why I diligently check, use virtual machines, use non writable primary boot device, etc.

        Maybe I’m just old school, but it used to be that people were very concerned about privacy and security. Connected cars now come with microphones, cameras, GPS, who knows what else. With connection, potential for privacy breach is unimaginable. For someone who never plan to use any of it, paying extra for hardware is just waste.

        In case of OnStar, hardware like wifi is built into the car whether you sign up for it or not; getting 3 years “free” OnStar is a huge negative for me as I won’t ever use it while I worry about potential privacy concerns.

        1. The Woodster says:

          Wow, Spark. It must be very exhausting to be that paranoid!

    2. Just_Chris says:

      It is optional you have to setup the account and spend hours on the phone with the dealer to try and get it to work. I am not sure about the rest of the world but no one accidentally setup a carwings account in Australia.

  8. Jim T says:

    If you like using the Nissan App, which I do, how about just covering up the VIN plate?

    1. mega says:

      You would be surprised how easy it is to find your VIN in public databases, forums, dealer sites, etc.

      But if someone is after you, your VIN should be the last of your concerns.

  9. Brian S says:

    It makes me feel better about getting the S trim. Heated front and rear seats with none of the hack-ability.

    Tesla seems to be years ahead of everyone. If they stumble maybe the Alliance should just buy them. Ghosn has stated they’re not even going to try and compete in the high-end anyway.

    1. kdawg says:

      I’d say OnStar is in the lead. They’ve been doing in longer than anyone and have a lot more security built in. (Also first to use 4GLTE)

      Although no system is 100% secure, if someone wants to spend enough time/effort hacking it.

  10. G2 says:

    I’ve got a sure eay to prevent anyone from doing this to my leaf; I’ve put a small card on my dash over the VIN #.

    Problem solved. ?

    1. AlanSqB says:

      I was thinking the same thing, but the real problem is some skiddie writing something that just goes down the line of vin numbers and then repeats, just for the heck of it. I don’t think anyone close enough to see my vin would have any clue how to do this.

      1. Trollnonymous says:

        I can’t see your VIN but…

        Dim intVictimNumber
        Dim blnResult
        For i = 1 to 99999
        intVictimNumber = i
        Call ValidateLEAFConnection(intVictimNumber,blnResult)
        Next

  11. Trollnonymous says:

    Tesla had Hackers bang and breach the Model S. They got to the same controls with the same results and patched it.

    The difference is, Tesla was proactive about it and invited the hackers to learn from it and harden the system.

    I’m pretty sure Nissan will patch it.

    1. Rebel44 says:

      And to get into Tesla systems required physical access, including dismantling parts of car interior.

    2. Jeff Songster says:

      I think they will definitely fix it soon… especially before self driving features get enabled. Turning on AC or heat… even vague trip details not really worrying… yet… but if they could get control of more drive by wire controls… very bad stuff.
      The Jeep one required physical access initially to the car to set it up… this one can come in via the cell modem. Needs to be addressed soon.

  12. jdbob says:

    Just be patient, AT&T will be turning off Carwings at the end of the year – problem solved!

  13. kubel says:

    This may be classified as a vulnerability (maybe), but it’s not a hack. Discovering that something doesn’t use authentication isn’t hacking. If I send an email and spoof the from address, that’s not hacking. It’s just doing what SMTP natively does (which is no authentication).

    I’m not defending Nissan for not using authentication, but this has been widely known and ‘exploited’, if you will, by third-party CarWings apps for a number of years.

  14. Mike says:

    already disabled my EVConnect account.
    they can also disable your timed charge or change it to another time etc.
    All the things you can do in the app can be done here, including access all your drive/journey data.
    Sadly the issue is complete lack of security between the app and the user. The comms between the data center and the car are probably secure.
    This just proves that Nissan have no clue about technology and should mess with it. Imagine how many corners they cut with their auto drive if they can’t even make this simple app secure.

  15. enerc77 says:

    Is it US only? To connect to Europe server, I do need user/password.
    I agree EV Connect is terribly slow.

  16. Just_Chris says:

    Once they release details of the hack can you publish them here. Since they have switched to the new app I haven’t been able to use any of the functions from my phone using the official portal may be the “hack” would work.

    I cannot imaging anyone wanting my vehicle usage data, I am fairly certain it doesn’t have GPS coordinates so would it really be that valuable to anyone to know I drove 20 km this morning? As for them maliciously turning on my ac, really???? I think that is a risk I am willing to take.

    1. Rebel44 says:

      There are plenty of trolls out there, who will be happy to write a script, to send malicious orders to all VINs in viable range (1 – 999999), just to annoy people.

  17. Aaron says:

    Now would be a really good time for AT&T to fully drop their 2G network that they were in process of doing anyway. The LEAF SL/SV communicates over the ancient 2G network.

    Of note, LEAF “S” models (the models that don’t have the built-in navi) are not affected.