Cybersecurity expert Troy Hunt proves that Nissan’s Leaf cars are vulnerable to remote, browser-based hacking, allowing attackers to exploit a flaw in the electric vehicle’s companion app and seize control of the heating and air-conditioning system. The exploit is not dangerous in and of itself, but it can wreak havoc by draining car batteries.
The exploit stems from the fact that the NissanConnect app needs only a car’s vehicle identification number (VIN) to authenticate and take control, and the initial characters in the code can all be deduced based on the vehicle’s brand, make, and country of manufacture/headquarters. The only variables in the equation are the last five digits of the VIN, which are easily deciphered using a brute force app that tests all available possibilities.
But hackers don’t need the app to breach the vehicle, as commands can be sent to web browsers. To test this theory, the Australian-based Hunt recruited the help of UK-based security advisor and Leaf-owner, Scott Helme, arranging an experiment in which Hunt inputted Helme’s VIN while the two communicated in real-time. Unsurprisingly, Leaf accepted the commands.
“As I was talking to Troy on Skype, he pasted the web address into his browser and then maybe 10 seconds later I heard an internal beep in the car. The heated seat then turned on; the heated steering wheel turned on. And I could hear the fans spin up, and the air-conditioning unit turn on,” says Helme.
Additional testing revealed that the hack cannot be perpetrated while the vehicle is in motion—fortunately—but it does reveal the owner’s registered name, as well as the times and distances of recent trips. Geotags were not included.
Hunt gave Nissan a month to patch the exploit before making it public but seeing that nothing was done, he decided to take initiative and provide a solution. He explains that Leaf owners may protect themselves by disabling the CarWings account tied to their vehicle or by refraining from registering until Nissan releases a fix.
Additional testing revealed that the app doesn’t directly communicate with the vehicle. Instead, it sends commands to Nissan’s computer servers. What this means is that Nissan may easily rectify the issue by suspending the service.
Nissan spokesperson responded with “[the hack] has no effect whatsoever on the vehicle's operation or safety. Our global technology and product teams are currently working on a permanent and robust solution. “
The incident once again reminds us that cybersecurity is often treated as an afterthought, fortified only after a problem reels its ugly head.
Source: BBC
Advertisement
Learn more about Electronic Products Magazine
