Security researcher and all round good guy Troy Hunt has demonstrated how you can hack Nissan’s Leaf and take control of some minor systems and potentially spy on travel data.
You might recall that in July of last year we covered a story about one of Fiat Chrysler’s cars which could be hacked and disabled via its Internet connected dashboard.
Now there’s another one! Although not as serious it turns out that the Nissan Leaf can be hacked via the manufacturer’s app, NissanConnect.
The NissanConnect app allows users with both a smartphone and a compatible Nissan car to manage their air conditioning, view estimated driving range and various other bits and bobs.
Tory Hunt demonstrated his findings on his blog, here.
The vulnerability
Mark James, ESET IT Security Specialist, explains that the vulnerability is not with the Leaf itself but with the servers Nissan use for the car and its app.
“The actual vulnerability is not with the cars exactly it’s more the servers Nissan are using to host the service.
“Data is sent from the car back to servers if the end user signs up and registers their car with the NissanConnect app.
“By using the app or a web browser it’s possible to guess the needed credentials (in this case only the VIN number of the car) to gain access to secondary controls and user data on times and distances travelled.
“This could enable you to drain the battery, whilst this may seem quite insignificant it could be used to strand someone or incapacitate the car.”
As you can see it’s nowhere near as serious as the Chrysler incident but as Mark points out it could potentially escalate in future.
“Thankfully it only affects secondary controls so not as bad as some car hacks we have seen in the past where door locking or even steering has been affected.
“But technologies advance and if these flaws had not been found then more features may have been added and thus compromised.”
Precautions
If you have a Nissan Leaf and use the NissanConnect app what should you do to protect yourself?
“The first thing I would ask myself is do I really need to connect my car to the Internet? Either through a website or smartphone app, the most likely answer is no.
“If you do then make sure you regularly check the information you are sending: most can be configured to turn features on and off and check after each update.
“We are no longer striding towards an internet connected world we are now running downhill towards anything and everything being connected without regard for security and safety.
“It may seem like an inconvenience to have authentication to be able to turn your heated seats or steering wheel on when it’s cold and icy in the morning but it’s better than having another portion of your private lives exposed for all to see and plunder.”
What should the manufacturer do?
Often the most important aspect of a breach or hack is how the affected company deals with it. Mark offers some sound advice to Nissan and any company thinking of adding some Internet-connected features to their products.
“Nissan should simply suspend the service until it’s safe to use again, doing nothing will not make it any more secure.
“If you’re going to connect to the Internet from anywhere you have to ensure authentication is in place.
“Every new feature you implement or cutting edge advantage you use to sell your cars has to be pitched from the “what if” angle of it being compromised.
“People are definitely getting more tech savvy and just because you can does not mean you should, yes we want our smartphones to do everything but we also want to feel safe and secure.
“The small advantage of having remote features will pale into insignificance if and when your data is compromised and you lose the trust of your precious users.”
Do you own a Nissan Leaf and did you use the NissanConnect app?
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.