Nissan apologizes, shutters mobile app that left Leaf EV hackable

25.02.2016
Nissan has shut down a popular mobile app for its Leaf electric vehicle after security experts demonstrated they could use the app's insecure APIs to remotely control any vehicles' functions.

"We apologize for the disappointment caused to our Nissan Leaf customers who have enjoyed the benefits of our mobile apps," Nissan wrote in an emailed reply to Computerworld. "However, the quality and seamless operation of our products is paramount."

Two security researchers this week demonstrated a security vulnerability in the Nissan Leaf electric car by using the NissanConnect EV app's APIs.

The unsecured APIs allow anyone who knows the VIN of a car to access non-critical features such as climate control and battery charge management from anywhere across the Internet. Additionally, someone exploiting the unauthenticated APIs can see the car's estimated driving range.

Along with controlling some vehicle functions, the other main concern is that the telematics system in the car makes available historic driving data, one security expert said in a blog post.

Nissan said it has shuttered access to the NissanConnect EV app (formerly called CarWings), following the security experts' report and its own internal investigation.

Nissan said it found the dedicated server for the NissanConnect EV app "had an issue" that enabled the temperature control and other telematics functions to be accessible via a non-secure route.

"No other critical driving elements of the Nissan Leaf are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence," a Nissan spokesman wrote. "The only functions that are affected are those controlled via the mobile phone -- all of which are still available to be used manually, as with any standard vehicle."

The carmaker added that iy plans to re-launch NissanConnect EV once it's been updated.

Craig Young, a cybersecurity researcher for security software developer Tripwire, said that while cloud connected car tech is in its infancy, "it is likely that we will continue to hear about privacy and security related issues."

"Generally speaking, any service, but especially services pertaining to connected cars, should not be authenticated based on non-private data. For example, with a service like this, it would be better to have an authentication token provided to clients upon login and then used as an access control to prove that the client is authorized to perform actions on that VIN," he wrote in an email to Computerworld.

Nissan should consider implementing two-factor authentication for its mobile apps, which might require a more involved first time setup by drivers, but would be worth it, Young said.

"Fortunately, in this case I would not expect there to be any safety concerns, but the possibility remains that this flaw could be used in conjunction with other vulnerabilities to further compromise a connected car," Young added.

This is not the first time security experts have demonstrated vehicle vulnerabilities via a remote app.

Last year, Fiat Chrysler Automobiles issued a recall notice for 1.4 million vehicles in order fix a software hole that allowed hackers to wirelessly break into some vehicles and electronically control vital functions such as braking and acceleration.

The National Highway Safety Administration also investigated the security issues that involved 2015 Jeep Cherokees.

Security experts Charlie Miller and Chris Valasek collaborated with Wired magazine to demonstrate how they could remotely hack into -- and control -- the entertainment system and more vital functions of a Cherokee SUV.

The hackers were able to use the cellular connection to the Jeep's entertainment system, or head unit, to gain access to other systems; the head unit is commonly connected to various electronic control units (ECUs) located throughout a modern vehicle. There can be as many as 200 ECUs in a vehicle.

"We could have easily done the same thing on one of the hundreds of thousands of vulnerable vehicles on the road," Miller told Computerworld at the time.

(www.computerworld.com)

Lucas Mearian