Real World Attack – Nissan Electrical Vehicle (Leaf)
A relatively newer technology gaining a much greater acceptance and implementation has been the electric vehicle. Recently the attacker’s focus has been on the Nissan Leaf. The attack on this model was relatively easily accomplished through the web browser (Ashford, 2016; Walford, 2016). The attacker only needed the VIN to access the system (Ashford, 2016). Anyone could get this data by looking in the window or by manipulating the VIN algorithm, namely the last four digits (Ashford, 2016; Zorz, 2016). With this vulnerability being accessed from any IP, the car can be hacked from across the planet (Abel, 2016; Torchinsky, 2016).
The attack was announced previously in Canada and only discussed in online forums (Ashford, 2016). Nissan was contacted regarding the vulnerability but did not correct this in a timely manner. Finally this was reported widely and Nissan removed the app (Lacey, 2016) and thus removed the vulnerability.
Although this was a legitimate attack, this was between two parties that knew each other. The target was a Nissan Leaf located in the UK owned by a friend while the attacker was in Australia (Abel, 2016; Torchinksy, 2016, Walford, 2016b). As the API was insecure and allowed anyone to log in (Mearian, 2016), the effort was nominal (Abel, 2016; Walford, 2016). This insecure API was with the Nissan Connect EV application fka CarWings (Mearian, 2016; Cluley, 2016; Weise, 2016; Hammerschmidt, 2016). This API was used to remotely control the vehicle’s function (Mearian, 2016) including the heating and air conditioning systems (Ashford, 2016) and could be used to drain the battery’s energy (Abel, 2016; Torchinsky, 2016). This could also control the vehicle and modify the historical driving data (Mearian, 2016). With this attack, only the functions interacting with the mobile phone app were affected.
“Although this was a legitimate attack, this was between two parties that knew each other.”
This predominantly may be described as a generic attack as this could be used against other platforms (Aron, 2016). This attack shows technology is moving forward too quickly. The marketing and consumer needs are trumping the security. The regard for security and safety appears to be lacking (Ashford, 2016). In this instance the API was engineered intentionally without security (Abel, 2016). There was no authentication and attacker only needed the VIN (Zorz, 2016; Cluley, 2016; Torchinsky, 2016; Hammerschmidt, 2016). At best security was an afterthought (Kieler, 2016; Weise, 2016).
Learn about how to protect your business by training your employees with National Cybersecurity Institute’s training programs.
Abel, R. (2016, April 4). ‘Father of car hacking’ awarded for researched. Retrieved from http://www.scmagazineuk.com/father-of-car-hacking-awarded-for-research/article/487247/
Aron, A.J. (2016, February 26). Security researcher found a loophole in nissan’s app for leaf electric car. Retrieved from http://www.biztekmojo.com/002121/security-researcher-found-loophole-nissans-app-leaf-electric-car
Ashford, W. (2016, February 25). Nissan breaks basic security rules with leaf electric car app. Retrieved from http://www.computerweekly.com/news/4500274612/Nissan-breaks-basic-security-rules-with-leaf-electric-car-app
Cluley, G. (2016, February 24). Lousy Nissan leaf security leaves cars open to online exploitation. Retrieved from https://www.grahamcluley.com/2016/02/lousy-nissan-leaf-security-leaves-cars-open-online-exploitation/
Hammerschmidt, C. (2016, February 26). Security expert discloses security flaw in nissan vehicles. Retrieved from http://www.eetimes.com/document.asp?doc_id=1325091
Kieler, A. (2016, February 25). Nissan disables electric car app over security flaw that allows other users to control vehicle temps. Retrieved from http://consumerist.com/2016/02/25/nissan-disables-electric-car-app-over-security-flaw-that-allows-other-users-to-control-vehicle-temps/
Lacey, S. (2016, February 29). Security flaws made Nissan leaf owners vulnerable to a hack. Retrieved from http://www.greentechmedia.com/articles/read/security-flaws-made-nissan-leaf-owners-vulnerable-to-a-hack
Mearian, L. (2016, March 23). Should you worry that your car will be hacked? Retrieved from http://www.computerworld.com/article/3047193/security/should-you-be-worried-your-car-will-be-hacked.html
Walford, L. (2016, February 24). Nissan leaf connected car features hacked on web-climate, seats, battery & trip logs. Retrieved from http://www.autoconnectedcar.com/2016/02/nissan-leaf-connected-car-features-hacked-on-web-climate-seats-battery-trip-logs/
Walford, L. (2016b, February 24). Leaf carwings Nissan connect EV remote control app grounded. Retrieved from http://www.autoconnectedcar.com/2016/02/leaf-carwings-nissan-connect-ev-remote-controls-app-grounded/
Torchinsky, J. (2016, February). How the Nissan leaf can be hacked via web browser from anywhere in the world. Retrieved from http://jalopnik.com/how-the-nissan-leaf-can-be-hacked-via-web-browser-from-1761044716
Weise, E. (2016, February 25). Nissan leaf app deactivated because it’s hackable. Retrieved from http://usatoday.com/story/tech/news/2016/02/24/nissan-disables-app-hacked-electric-leaf-smart-phone-troy-hunt/80882756
Zorz, Z. (2016, February 25). Insecure APIs allow anyone to mess with Nissan leaf electric car. Retrieved from https://www.helpnetsecurity.com/2016/02/25/insecure-apis-allow-anyone-to-mess-with-nissan-leaf-electric-car/
Charles Parker, II
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s
background includes work in the banking, medical, automotive, and staffing industries.
Mr. Parker has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.