Chepko Danil - Fotolia
Nissan has come under fire from security experts for breaking basic security rules, making its Leaf electric car easy to hack from a web browser.
Australia-based security researcher Troy Hunt demonstrated how hackers could hijack the vehicle’s heating and air-conditioning systems, identify owners and spy on their recent journeys.
VINs are usually stencilled on a car window and normally differ only in the last five digits – which means attackers could write a script to go through all possible combinations.
Hackers can exploit the lack of authentication to deplete the car’s battery and invade owners’ privacy – but Nissan said there was no safety impact and has taken no action since Hunt contacted the company.
However, the company said in a statement that it is “committed to resolving the issue as a matter of priority” and that its global technology and product teams are working on a “permanent and robust” solution.
Hunt said that, although the hack does not affect the driving controls of the vehicle, "it is bad in that the ease of gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial".
“As car manufacturers rush towards joining in on the internet-of-things craze, security cannot be an afterthought nor something we’re told they take seriously after realising that they didn’t take it seriously enough in the first place,” he wrote in a blog post.
Read more about vulnerability disclosure
- Qualys CTO Wolfgang Kandek discussed the hot topic of responsible vulnerability disclosure policies, and the friction between Google and Microsoft, at RSA Conference 2015.
- Swiss research group Modzero disclosed a vulnerability that enabled remote attacks on Xceedium's Xsuite privileged access manager.
- Google's Project Zero has added more leeway to its vulnerability disclosure policy, but industry observers are split on whether 90 days is enough time to fix software flaws.
Ethical disclosure 'challenging'
Hunt decided to go public with his findings after he discovered Leaf users in Canada had discovered the problem and were discussing it on open online forums.
Hunt said that, until Nissan fixes the problem, Nissan Leaf owners should disable their Nissan CarWings telematics service account. Those who have never signed up are not at risk.
Hunt confirmed the security risk by accessing the account of a Leaf owner in the UK from a web browser in Australia.
Read more about connected cars
- Automotive market research specialist JD Power warns that car manufacturers are wasting money on connected car technologies that most people don’t use.
- Juniper Research study finds integrated in-vehicle connectivity and apps will become standard in new cars by the end of 2018.
- Audi drivers will be able to buy in-car connectivity through an MVNO agreement spanning 13 European countries.
He remotely turned on the seat and steering wheel heating and the air-conditioning systems and found the owner’s registered username and distances for recent journeys. However, he said he could not find location data, nor access the car’s systems while it was in motion.
Although Hunt believes that Nissan should be taking the issue more seriously, he praised the company for making it easy for security researchers to reach the right people quickly.
“They were receptive and – whilst I obviously would have liked to see this rectified quickly – compared to most ethical disclosure experiences security researches have, Nissan was exemplary,” he wrote.
Security researchers often complain that companies typically do not have responsible disclosure processes in place, making it difficult to discuss security flaws they have discovered.
At the DEF CON 23 hacker conference in Las Vegas in August 2015, security firm Rapid7 told Computer Weekly that – despite the importance of security vulnerability disclosure – it can be challenging to open up channels of communication with non-security companies.
Authentication a 'basic' oversight
The lack of user authentication is one of the most basic security mistakes that could be made, said Richard Kirk, senior vice-president at security firm AlienVault.
“It is hard to understand how a major global car manufacturer like Nissan could have allowed an app to be designed in such a way and not performed some degree of app security assessment and penetration testing before placing the app in the app store,” he said.
Kirk said that, if the app or car system developer were to add app features – such as remote door unlocking or remote engine disablement – and assumed the app itself was safe and secure, then there could be serious implications, including the theft of a car or its contents, or even an accident.
Owners of internet-enabled cars should take the same precautions as with other aspects of their digital lives – including using unique secure passwords and not sharing them – he advised.
“Unfortunately however, the security flaw with the NissanConnect App cannot be mitigated by the owner of the car, since it is part of the back-end system, rather than the app itself,” he said.
Car manufacturers in general should apply the tried and trusted principles for secure application development, said Kirk, adding that many books had been written on the subject and numerous security companies offered help in this regard.
Vehicle connectivity concerns
Hunt notes that his report was published coincidentally in the same week that Nissan unveiled a revised Leaf at the GSMA Mobile World Congress.
“Clearly, like many car makers, their future involves a strong push for greater connectivity in their vehicles,” he said.
According to Hunt, among the list of features being added to the NissanConnect app is the ability to remotely show the vehicle position on a map and analyse driving.
“Whilst there are obvious upsides to drivers having access to these features, seeing them presented within the security implementation of the current app would be very worrying for obvious reasons,” he wrote.
Mark James, security specialist at cyber security firm ESET said users of internet connected cars should consider if they really need to connect their car to the internet.
“The most likely answer is 'no' but, if you do, make sure you regularly check the information you are sending, most can be configured to turn features on and off and check after each update,” he said.
"We are no longer striding towards an internet connected world we are now running downhill towards anything and everything being connected without regard for security and safety.”
While it may be inconvenient to have to authenticate just to turn on your heated seat or steering wheel on a cold morning, it is “better than having another portion of your private lives exposed for all to see and plunder”, he said.
Economy of effort vs security
Car manufacturers should learn that, if they are going to connect their vehicles to the internet from anywhere, they must ensure authentication, said James.
“Every new feature you implement or cutting-edge advantage you use to sell your cars has to be pitched from the ‘what if’ angle of it being compromised,” he said.
"Yes, we want our smartphones to do everything – but we also want to feel safe and secure. The small advantage of having remote features will pale into insignificance if and when your data is compromised and you lose the trust of your precious users."
According to James, because hackers cannot communicate directly with the vehicles, Nissan should block access by suspending the service until it is safe to use again.
Craig Young, security researcher at Tripwire said that, with connected car technology still in its infancy, it is likely there will be many more privacy and security-related issues.
“Generally speaking any service – but especially services pertaining to connected cars – should not be authenticated based on non-private data,” he said.
According to Young, instead of the VIN, Nissan should have provided an authentication token for car owners to login and use as an access control, to prove the client is authorised to perform actions on a particular vehicle.
“I would recommend that Nissan considers implementing two-factor authentication for added protection. This could be as simple as having a more involved first-time set-up, in which mobile devices are issued a device token which will subsequently be sent along with a username and password when connecting to the service,” he said.