How was Nissan's electric car vulnerable to hacking?

The world's best-selling electric car was revealed to have a flaw in the software behind an application connected to the vehicles that could have exposed the cars to certain controls by hackers.

|
PRNewsFoto/Los Angeles Auto Show/File
A Nissan Leaf on display in Los Angeles in 2010.

The world’s best-selling electric car was at risk of being hacked through a smartphone application linked to the vehicles, say security experts.

The Nissan Leaf, an all-electric hatchback that has sold more than 200,000 units since its launch in 2010, was found to be susceptible to manipulation via the automaker’s NissanConnect app. The program was also connected to some of Nissan’s electric e-NV200 vans, meaning they were at risk as well.

Noted Web security expert Troy Hunt spotted the flaw, along with attendee at a software conference in Norway where Mr. Hunt was running a workshop. Hunt detailed the pair’s exploration of NissanConnect’s weaknesses in a post on his website.

The app, which pairs its users with certain functions in their cars such as battery charging and climate control, is meant to allow Nissan owners to interact with their cars remotely. What Hunt and his anonymous collaborator discovered, though, was that access to Leaf functions through the app could be obtained by anyone with a valid Vehicle Identification Number (VIN), not just the owner of a specific car.

“Our suspicion that the VIN was the only identifier required was confirmed and it became clear that there was a complete lack of [authorization] on the service,” Hunt wrote in his breakdown of the process. While something like checking the battery level of a car or looking through its driving record may not sound especially threatening to Leaf owners, being able to turn on a Leaf’s air conditioning to drain its battery, or halting a charge in progress, could potentially leave drivers stranded at the hands of hackers.

“Anyone could potentially enumerate VINs and control the physical function of any vehicles that responded,” Hunt wrote. “[That] was a very serious issue.”

On Thursday, the carmaker announced that NissanConnect would be taken offline.

The NissanConnect EV app ... is currently unavailable,” Nissan said in a statement, according to the BBC. “This follows information from an independent IT consultant and a subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.”

The statement added that no “driving elements” of the Leaf or e-NV200 were at risk, and that “updated versions” of the company’s apps would be released soon. The BBC said that Nissan denied that the flaw posed a risk to anyone's safety.

“Disabling the service was the right thing to do given it appears it's not something they can properly secure in an expeditious fashion,” Hunt told the BBC. “Hopefully this will give them time to build a more robust solution that ensures vehicle features and driving history are only accessible via the authorised owner of the car.”

The rise of the implementation of wireless features and connectivity in cars, including more links to the Internet, has left drivers open to outside manipulation. One example is hackers’ ability to unlock cars wirelessly using radio signals, an old weak security link that still could affect drivers today. Other hackers have found loopholes allowing them to directly interfere with drivers using the Internet, even cutting vehicle’s controls and remotely carjacking them, although cars open to that issue were recalled.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to How was Nissan's electric car vulnerable to hacking?
Read this article in
https://www.csmonitor.com/Technology/2016/0225/How-was-Nissan-s-electric-car-vulnerable-to-hacking
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe