conejota - Fotolia

Nissan acts on Leaf car app security flaw after researcher goes public

Nissan suspends its electric car app after a researcher went public about a security flaw that could enable attackers to take control of heating systems

Nissan has suspended its NissanConnect mobile app a day after a security researcher went public about its security vulnerabilities, but a month after he alerted the car maker.

When Nissan failed to respond to Troy Hunt’s warnings, and he discovered others were discussing the security vulnerabilities, he published a blog on his findings.

Working with a Nissan Leaf owner in the UK, Hunt was able to connect to his collaborator’s NissanConnect account through a web browser from Australia.

Hunt was then able to turn on the seat and steering wheel heating and the air-conditioning systems remotely, as well as find the owner’s registered username and distances for recent journeys.

This was possible because the NissanConnect app only required the vehicle identification number (VIN) for access, which meant access was not restricted to a car’s owner.

VINs are usually stencilled on a car window and normally differ in the last five digits – which means attackers could write a script to go through all possible combinations.

Nissan immediately came under fire from security experts because of its failure to include any mechanism to authenticate the user as the car’s owner.

Most commentators urged Nissan to suspend the app until a fix is available, which the company has now done.

Read more about connected cars

“We’re looking forward to launching updated versions of our apps soon,” Nissan said in a statement.

The car make said that while the app was unavailable, no other “critical driving elements” were affected in the Leaf car and eNV200 electric van models.

“Drivers worldwide can continue to use their cars safely and with total confidence,” Nissan said, adding that it has sold more than 200,000 Leaf electric vehicles since 2010.

Security ‘cannot be an afterthought’

Nissan initially defended its inaction, saying the security flaw did not represent a safety risk because no critical functions could be accessed.

But Hunt pointed out that not only could attackers potentially disable Leaf cars by turning on the heating and ventilation systems to drain the battery, but could also use driving logs to track owners.

“As car manufacturers rush towards joining in on the internet of things craze, security cannot be an afterthought, nor something we’re told they take seriously after realising they didn’t take it seriously enough in the first place,” he wrote in a blog post.

Hunt and others also expressed concerns that if the app or car system developer were to add app features – such as remote door unlocking or remote engine disablement – and assumed the app itself was safe and secure, then there could be serious implications. These could include the theft of a car or its contents, or even an accident.

Secure application development

Most commentators said car manufacturers in general should apply the tried and trusted principles for secure application development.

Craig Young, security researcher at Tripwire, said that it is likely there will be many more privacy and security-related issues as connected car technology is still in its infancy. 

“Generally speaking any service – but especially services pertaining to connected cars – should not be authenticated based on non-private data,” he said.

According to Young, instead of the VIN, Nissan should have provided an authentication token for car owners to log-in and use as an access control, to prove the client is authorised to perform actions on a particular vehicle.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

I cannot see why we need so much connectivity in our cars. I feel it just one more distraction and adds major dollars to a repair of the system.  I fear what could happen if hackers took control of my car when driving.. To top it off it would probably be a young adult most likely looking to play around, I'd love to have my older car back. One I could work on myself.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close