![]() “Nissan was not considering this situation urgent,” Hunt said. Weeks later, when Hunt pointed out customers were slowly figuring out the vulnerability on their own, he told Nissan he was going to post his research on his website. Then, after the initial private disclosure, Hunt said, Nissan gave him the cold shoulder and still didn’t fix the problem. When Hunt originally took his findings to Nissan, he said they were all ears. “A number of frustrated app users figured out all they needed to do was feed a URL into a browser to turn on their car’s heat,” Hunt said. Hunt said, Leaf owners were trying to figure out how to manipulate their vehicles because the app was unreliable and cumbersome. He noticed message boards where car owners were grousing over how poorly designed the NissanConnect EV app was and looking for workarounds. In fact, Nissan Leaf owners were starting to grow concerned, Hunt said. He politely described Nissan’s lack of safeguards as “a unique design choice.” Others in the security community called it a serious security flaw. “When you make a request to the car, you are never asked if you are authorized to access this resource,” Hunt said. Another URL request allowed you to view battery life. That allowed anyone who had credentials to use the Nissan app to anonymously send requests for a specific Leaf to turn on its climate control. Swap out the VIN number and control a different car, Hunt discovered.īut what really startled Hunt was the fact that the APIs on the server that the NissanConnect EV app connected to were not authenticating the user. That VIN data was located in URL requests the app made to Nissan. As he was doing this he discovered that the vehicle the app was designed to control was identified by the last five numbers of the car’s VIN number. Next, he watched to see what backend server the app was communicating with. Hunt first downloaded and registered the Nissan’s NissanConnect EV app on his phone. ![]() With the last five digits of a Nissan Leaf and eNV200 VIN number, Hunt’s vulnerability gave you remote access to that car. Try searching automobile retailer for Nissan Leafs and hundreds of cars are listed with their VIN numbers easily accessible, he said. Hunt said VIN numbers are extremely easy to find and can reveal information about where the car was last serviced. There is the potential for some costly damages,” he said. “Now imagine a hacker has the VIN numbers of thousands of cars and runs that script. An attacker might also write a script that turns the AC off and on every 30 seconds until something fails. ![]() In one scenario, an attacker could remotely drain a Leaf’s battery by running heat or cooling systems stranding the driver. “There is no doubt if a hacker can figure out how to exploit this vulnerability they would.” “There are a lot of weird antagonistic stuff that goes on the internet,” Hunt said. But, beyond the clear privacy violation the Nissan vulnerability posed, there were ways the hack could cause real damage to Nissan car owners. ![]() Hunt said most drivers expect a level of privacy when it comes to GPS tracking data that included time and distance traveled. “The first thing when it comes to determining risk is what you could control? The second thing to ask is, what type of data could someone retrieve?” While the Nissan vulnerability may be limited in scope, Hunt said, an attacker could have still cause headaches for Leaf and eNV200 car owners. A spokesperson said is a new secure app is on its way, but wouldn’t say when it would be available. On Tuesday, Nissan told Threatpost it took the servers for the NissanConnect EV app offline. In fact, Hunt made a video of himself in Australia hacking a friend’s car based in the UK to prove the point. But, Hunt says, the Nissan vulnerability stood out because the hack was so easy to execute allowing any smartphone to remotely control any of the 200,000 impacted Nissan cars – no matter where they were located. This was not exactly the type of vulnerability discovered by Charlie Miller and Chris Valasek who demonstrated full remote access to a Jeep Cherokee in 2015. The vulnerability, it turned out, allowed anyone with the right Nissan Leaf and eNV200 vehicle identification number (VIN) to remotely access the car’s climate controls, battery status and GPS logs that included the dates, times and distances the car traveled. “After talking about the way applications can sometimes get APIs wrong, a workshop attendee goes back to his hotel room and 15 minutes later calls to say he has found something fishy with the Nissan Leaf smartphone app,” Hunt said in an interview with Threatpost, speaking about the discovery. Last month, when researcher Troy Hunt argued the dangers of insecure APIs at a security workshop, little did he know hours later he would discover an API vulnerability that allowed remote access to onboard computers of 200,000 Nissan Leaf and eNV200 electric automobiles. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |