Most electric and plug-in hybrid cars on sale today have some form of remote telematics system, making it possible for owners to to remotely check their car’s battery status, start and stop charging, preprogram the satellite navigation and precondition the cabin ahead of departure.
Usually, such systems — known by a variety of different names by different manufacturers — simply make owning an electric car a more convenient and pleasurable experience. Sometimes, they can even help you continue to drive your car when you can’t find your keys — or help find your car if it is stolen. But as with any other Internet-enabled device, giving an electric car remote telematics capabilities increases the risk that it will one day be the victim of hackers eager to gain access to your vehicle, your property and perhaps your personal information.
To mitigate that, automakers are constantly evolving their telematics systems to make them more secure and keep hackers at bay. Some even have funds devoted to paying security professionals and hackers to report any found bugs or security loopholes, helping patch problems before they become public knowledge.
But yesterday, more than a month after reporting it to Japanese automaker Nissan, security researchers published details of a security flaw with the all-new NissanConnect EV telematics system used by Nissan in its Nissan LEAF and Nissan e-NV200 electric cars. What’s more, the security loophole is so mind-blowingly large that it’s theoretically possible for hackers to access every single Nissan electric car connected to the service, even if the damage they could do is relatively small.
There is at least, some comfort to that last statement: while this security flaw allows hackers to gain access to your car’s climate control and charging system, find out information pertaining to recent trips and even figure out what email address you use to log in to the telematics system, it doesn’t appear the system grants access to vehicle locks or in fact the precise location of your car.
Having verified the methods described below for ourselves on our own Transport Evolved Staff Nissan LEAF, we think it’s worth being grateful for such small mercies. If like us, you happen to own a Nissan LEAF, you’ll want to carry on reading, because while the flaw is more annoying than anything else, it’s a rookie mistake which is hardly reassuring for an automaker working on bringing autonomous vehicles to market in the next few years. And when paired with the wrong kind of circumstances, it could really ruin your day.
Enter Australian security researcher Troy Hunt, a Microsoft MVP for Developer Security, author and international speaker and his colleague, UK-based security researcher Scott Helme, who as it happens also owns a late 2014 Nissan LEAF.
As detailed in a blog posting, Hunt was recently in Norway running a special “Hack Yourself First” workshop designed to teach software developers how to best protect their applications and services from malicious online attacks when an attendee approached him on the second day of the conference. Explaining that he had used some of the tricks taught to him the previous day by Hunt, the attendee said that he had been able to intercept traffic from his NissanConnect EV smartphone app and believed he had found a security flaw with the API (Application Programming Interface) used by Nissan to operate the NissanConnect EV service.
Once the attendee — who has asked to remain anonymous — had figured out the easily-readable protocol used by the NissanConnect EV, he was not only able to connect to his own Nissan LEAF using https GET requests but also connect to other Nissan LEAFs too, simply by guessing the Vehicle Identification Number (VIN) of the car he wished to control.
How? We’ll explain in more technical detail below, but it boils down to an astonishingly poor omission on Nissan’s part: namely, connections to the NissanConnect EV system require just a VIN, not a username or password. Moreover, that’s true of status requests as well as commands such as turning the climate control on or off. And if you thought that a car’s VIN is hard to come by, you’d be wrong. Like most modern cars on sale today, the VIN for each and every Nissan LEAF is clearly visible from outside the car at the bottom of the car’s windscreen.
Once the VIN has been obtained, a hacker can remotely access your NissanConnect EV-enabled LEAF or e-NV200 from anywhere in the world, retrieve data about recent trips (although not GPS location data) remotely begin charging, or start and stop your car’s climate control. They can’t unlock the doors and they can’t switch the car on, but as Helme explained to us earlier today on the telephone, “a hacker could easily keep sending your car a remote climate control request every fifteen minutes to maliciously run your car’s battery down if it isn’t plugged in.”
What follows is more technical than we like to get here on Transport Evolved. But to explain things properly, we think on this occasion, this level of technicality is required. If you’re not technically minded, feel free to skip the next few paragraphs. If you are, read on.
With the discovery made, Hunt contacted Helme, who he knew also owned a Nissan LEAF. Together, the pair continued their research into the flaw, using both their own findings and publicly-available information already on sites like GitHub detailing how the NissanConnect EV system works.
As regulars to the site will know, NissanConnect EV launched last year as a replacement to the notoriously unreliable Nissan Carwings system for electric cars. While offering the same level of functionality as one another to pre-2016 Nissan electric vehicles, Carwings and NissanConnect EV may connect to customers’ cars in the same way as one another, but use a completely different user-facing API to form as the bridge between an owner’s smartphone or computer and Nissan’s own servers.
With Carwings, Nissan generated a special authentication certificate upon login, which had to be transmitted each and every time a request was made of the XML SOAP API. While it was secure, it was the source of some frustration of developers who often called it a “pain to work with.”
Nissan’s new API by contrast, follows more contemporary methods of passing data from one device to another and, when examined in its original format, seems to ask for the usual login details that you’d expect of any securely-implemented service. But while those who have documented the API note that Nissan’s initial login process does indeed seem to securely transmit an owner’s NissanConnect EV username and password over https, subsequent requests do not.
It’s something this author noted for herself this weekend, when playing with the documented API to create an IFTTT action for her own Nissan LEAF. Following the instructions posted on various GitHub pages, I was able to remotely log into carwings and, dutifully copying what I thought were the required parameters into an https GET request, was able to start charging as well as remotely start and stop climate control in our Staff Car Nissan LEAF.
Yet, say Hunt and Helme, there’s no need for anything other than the VIN number to be sent to Nissan’s telematics servers. Indeed, there’s no need to log in either. Simply send the right VIN number request, and the NissanConnect EV servers will happily send the relevant request to that particular car.
To try it ourselves, we sent a request to one of our own Staff Car Nissan LEAFs, without first logging into Nissan’s system. Sure enough, the request was successful, and an email pinged up informing us climate control had been activated.
Unlike the previous Nissan Carwings telematics system which was secure if a little buggy, Nissan’s new system seems to have designed a security protocol but not actually implemented it.
How did this happen? It could have been the result of a conscious decision from management, incompetent, or malicious intent. Right now however, that’s not important. Patching the security flaw is, along with repairing the already damaged reputation of Nissan’s telematics system.
While the NissanConnect EV system in question has different endpoints (different servers) for each key market area, it seems that this particular flaw is present regardless of where in the world a customer’s car is. And while Troy said that he and Helme first contacted Nissan one month ago to notify it of the problem, they made the decision to publish details of the exploit yesterday later since the majority of information concerning the API — and which could lead someone else to find the exploit — was already in the public domain.
On the scale of one to ten, where one is a minor annoyance and ten is a major security flaw which would make using the car impossible, we’d have to say this particular security flaw is somewhere at the bottom of the scale.
In response to Transport Evolved, Nissan made the following statement:
Nissan is aware of a data issue relating to the NissanConnect EV app that impacts the climate control and state of charge functions. It has no effect whatsoever on the vehicle’s operation or safety.
Our global technology and product teams are currently working on a permanent and robust solution. We are committed to resolving the issue as a matter of priority, ensuring that we deliver the best possible experience for our customers through the app now and in the future.
Right now, it’s worth remembering that there is a risk that some malicious script-kiddie could slowly run down your car’s battery pack in the 8 hours while it’s parked at work every day just because they think it’s funny. Potentially, there’s a risk they could do something worse, although that’s unlikely.
Under Nissan’s own terms and conditions for its telematics system however, the automaker is pretty clear about its responsibilities for the service. As Helme noted in his conversation with us earlier today, Nissan original Carwings telematics service agreement laid things out in black and white.
“As between you and Nissan, you agree that you are solely responsible for any use of CARWINGS in your Electric Vehicle, even if you are not the one using it, and even if you later claim the use was not authorized,” it says. “You are entirely responsible for any transaction with anyone in connection with your use of CARWINGS.”
Based on that, we’d suggest LEAF owners have two options right now: continue to use their car’s telematics system and hope nothing bad happens between now and when Nissan patches the flaw, or temporarily unregister their car from the system.
As with any developing story, we’ll be sure to bring you any updates as we have them.
You can also support us directly as a monthly supporting member by visiting Patreon.com.