Nissan Leaf owners: Prepare to be pranked by hackers thanks to insecure API

Researchers revealed vulnerabilities in insecure APIs which could allow hackers to remotely control the heating and air conditioning in a Nissan Leaf.

NIssan Leaf
Credit: Nissan

Another day, another flaw revealed in the Internet of insecure things. If you have a Nissan Leaf, then prepare yourself to potentially be pranked by friends, frenemies – even complete strangers on the other side of the world. All a person needs is your Vehicle Identification Number (VIN) – which happens to be visible on your Leaf for anyone who wants to see it – and for you to use the Nissan Leaf remote management app.

Security pro Troy Hunt revealed that pranksters can switch on and off your heat or AC while your car is parked as well as exploit other options available to Nissan Leaf electric car owners via the companion NissanConnect EV app. The vulnerabilities are in the mobile management APIs which allow car owners to “check the state of battery charge, start charging, check when battery charge will complete, see estimated driving range, and turn on or off climate control system.” If anyone has your VIN, and you use the app, then they too can control those options via a web browser.

Why are there vulnerabilities? Because Nissan chose not the secure the APIs; Hunt told the BBC, “It's not that they have done authorization [on the app] badly, they just haven't done it at all, which is bizarre.”

While it’s not the same degree of urgency as when Charlie Miller and Chris Valasek remotely hacked a Jeep while it was being driven – and can’t be exploited while the vehicle is driving – Hunt said, “The ease of gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial.”

“Anyone could potentially enumerate VINs and control the physical function of any vehicles that responded. That’s was a very serious issue,” wrote Hunt. The problem was reported to Nissan, but 32 days after no fix was deployed, the researchers went public.

Hunt and fellow security researcher Scott Helme, who were 10,000 miles apart, made a video showing how a Leaf’s features can be controlled from across the globe via vulnerable APIs.

“This API thing is just nuts,” Helme said. “It's not even like they just missed auth or didn't check, it's actually not implemented. It was built, intentionally, without security...”

Helme added:

Fortunately, the Nissan Leaf doesn't have features like remote unlock or remote start, like some vehicles from other manufacturers do, because that would be a disaster with what's been uncovered. Still, a malicious actor could cause a great deal of problems for owners of the Nissan Leaf. Being able to remotely turn on the AC for a car might not seem like a problem, but this could put a significant drain on the battery over a period of time as the attacker can keep activating it. It's much like being able to start the engine in a petrol car to run the AC, it's going to start consuming the fuel you have in the tank. If your car is parked on the drive overnight or at work for 10 hours and left running, you could have very little fuel left when you get back to it...You'd be stranded.

Helme’s privacy concerns revolve around the telematics system in the car leaking all of his historic driving data. He wrote, “That's the details of every trip I've ever made in the car including when I made it, how far I drove and even how efficiently I drove. This could easily be used to build up a profile of my driving habits, considering it goes back almost 2 years, and predict when I will be away from home. This kind of data should be collected and secured with the utmost respect for my privacy.”

Helme suggested disabling Nissan CarWings accounts and details the how-to in Hunt’s post. Hunt suggested, “The right thing to do at the moment would be for Nissan to turn it [app] off altogether.”

If Helme sounds familiar, it might be because less than two weeks ago he collaborated in research showing how VoIP phones with default passwords can be used for covert surveillance. This time, after an accusation that the hackers “cocked up” Carwings and it would no longer work, Helme responded that he is a researcher and not a malicious hacker. He added, “The Climate Control and data leak aren't too bad, but imagine if I could remote unlock your car with just the VIN. You'd have a lot of fun with your insurance company proving that! Now that we've found it and told Nissan, they can fix it to protect you from the risk you were previously exposed to, just unaware of. Would you rather the risk be there and you simply didn't know about it?”

If someone does abuse your Leaf and you think you might complain to Nissan, then think again. Please note that Helme said according to the “your responsibilities” section of Carwings terms and conditions of use: “As between you and Nissan, you agree that you are solely responsible for any use of CARWINGS in your Electric Vehicle, even if you are not the one using it, and even if you later claim the use was not authorized.”

Cybersecurity market research: Top 15 statistics for 2017