Imagine a scenario where a car could be controlled from a personal computer thousands of miles away. Computer security specialist and programmer Troy Hunt figured out how to do it – with only a PC and an internet connection, accessing a stock Nissan Leaf across the globe. The hacking was limited only to the car’s air-conditioning, but it is a glaring example of what could be done.
Hunt stated that his research began when a participant at a computer security conference that he presented in approached him with evidence that his Nissan Leaf could be controlled online with the use of the Nissan mobile application. With that information and the use of the same methods as the mobile app, any Nissan Leaf could be accessed from pretty much any place, as well.
Troy Hunt, who lives in Australia, approached fellow computer security researcher and Nissan Leaf owner Scott Helme. Based in the UK, Helme allowed Hunt access to his car’s system to see the extent of what they could do. They uploaded a video online to publish the results of their experiment.
As seen in the video, Hunt was able to get into Helme’s Leaf while it was not even started. He was able to retrieve general data from the car, including information about the car’s latest drives, distances of the drives, power usage, the car’s battery state, etc. Hunt was also able to power on the automobile’s heating and air-conditioning systems – even the car’s climate-controlled seats.
This means anyone with an internet connection can potentially access the travel information and control functions of the Nissan Leaf remotely.
This set of information can be made accessible as these are the settings which could be configured through the Leaf’s mobile application. The app is mostly used to access the heating or air-conditioning before getting into the cars, checking the state of the battery remotely, and so on.
The Nissan Leaf mobile app is the key to how the car can be controlled remotely through online means – since it is the app’s main function. The researcher (who wished to stay anonymous) who approached Hunt discovered it by using his PC as a proxy for the mobile app and the internet. Through this set-up, the requests from the mobile app to Nissan’s main servers could be viewed.
The researcher also discovered that by looking through the code, the Vehicle Identification Number (VIN) of the car can be seen as part of the request. Switching up this VIN is a very crucial point in accessing any Nissan Leaf unit. By law, a car’s VIN should be visible through the windshield in parts of the world, making it easier to hack an unsecured Nissan Leaf.
Hunt also added some alarming information, saying “the request his phone had issued didn’t appear to contain any identity data about his authenticated session.” This means that Hunt was able to access the system anonymously, without much security to get through. Also, this adds to the problem that accessing information on a Nissan Leaf through the app shows no real security measure/s or any verification method/s on both ends of the connection.
The original researcher also observed that by turning the air-conditioning on and off remotely, the system processed requests without any authorization steps. He also verified these steps on his web browser, resulting in the same thing.
Put simply, this means anyone with an internet connection can potentially access the travel information and control functions of the Nissan Leaf remotely – so long as the car’s VIN is available to the potential hacker.
Hunt was able to replicate this by being generating several Leaf VINs and making a request for battery usage for the VINs he had. Soon after, Hunt was able to receive confirmation from these requests. Hunt suspected that the VIN was the only prerequisite to access the information for the vehicles, and that “there was a complete lack of (authorization) on the service”.
He added that it wasn’t solely an issue of retrieving the status of a specific Leaf, as other app protocols could take control of the climate setting of the vehicle. Any potential hacker can list VINs and gain access to any of the vehicles that returned the commands of the app.
He made numerous attempts at informing Nissan about the security problem with the mobile app, but for more than a month, the car company did not provide any resolutions. Hunt sent at least 10 e-mails, and was able to speak to them on the phone once. Towards the last few days of February, after he was advised by Nissan to wait a few weeks before publishing any articles online, he decided to publish his findings since so much time had passed and word had to get out to other Nissan Leaf owners who were in the dark.
It wasn’t until February 25th that Nissan finally took action in the whole mobile app security ordeal. The Japanese carmaker disabled their mobile app as they try to fix security breaches found by Tony Hunt. They plan to relaunch it once all breaches are fixed.
Nissan, in an email to Computerworld, stated, “The NissanConnect EV app is currently unavailable. We apologize for the disappointment caused to our Nissan Leaf customer.” The company confirmed the information presented by Hunt and Helm which found the vulnerabilities of the mobile app, specifically controls to the temperature and telematics functions of the car.
Fortunately, the electric car did not have features that allowed the car to be started or unlocked remotely as it would be a bigger disaster compared to what was discovered, Helme added. At most the unsecure mobile application would allow the hacker to drain the car’s battery through the heating and cooling systems, stranding an unknowing driver somewhere; or at the very least they could gain access to the Leaf’s driving history.
Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.