The security of connected cars was again called into question this week after it emerged that the world’s most popular electric vehicle, the Nissan Leaf, has a serious design flaw which could allow an attacker to remotely hack it.
The issue was flagged in a lengthy blog post by security researcher Troy Hunt, who informed Nissan a month ago about the issue after seeing it being actively discussed on user forums.
It relates to an underlying problem with the car’s NissanConnect app; namely that it only requires the Vehicle Identification Number for authentication.
This is usually found on the car’s windscreen, or it could be brute forced as only the last five digits differ with each car, Hunt claimed.
After ‘authenticating’ as someone else, an attacker could apparently change the A/C controls, heated seat and steering wheel.
Although not life threatening, it could run the power down on an EV.
The app also exposed personal information and car data such as times and distances driven, creating potential privacy issues.
“It’s a different class of vulnerability to the Charlie Miller and Chris Valasek Jeep hacking shenanigans of last year, but in both good and bad ways. Good in that it doesn’t impact the driving controls of the vehicle, yet bad in that the ease of gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial,” concluded Hunt.
“As car manufacturers rush towards joining in on the ‘internet of things’ craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place.”
As of Wednesday, Nissan had deactivated the service, while a spokeswoman told the BBC: “Our global technology and product teams are currently working on a permanent and robust solution.”
Tripwire security researcher, Craig Young, claimed Nissan could have introduced two-factor authentication for added protection.
“This could be as simple as having a more involved first time setup in which mobile devices are issued a device token which will subsequently be sent along with a username and password when connecting to the service,” he added.
“Fortunately in this case I would not expect there to be any safety concerns but the possibility remains that this flaw could be used in conjunction with other vulnerabilities to further compromise a connected car.”
SOURCE: Phil Muncaster