LEAF S customers won't get the fancy center console, but they will get 107-miles of EPA-approved range.

Major Security Flaw With NissanConnect EV Telematics System Means Hackers Can Access Your LEAF Electric Car With Just Its VIN

Most electric and plug-in hybrid cars on sale today have some form of remote telematics system, making it possible for owners to to remotely check their car’s battery status, start and stop charging, preprogram the satellite navigation and precondition the cabin ahead of departure.

Usually, such systems — known by a variety of different names by different manufacturers — simply make owning an electric car a more convenient and pleasurable experience. Sometimes, they can even help you continue to drive your car when you can’t find your keys — or help find your car if it is stolen. But as with any other Internet-enabled device, giving an electric car remote telematics capabilities increases the risk that it will one day be the victim of hackers eager to gain access to your vehicle, your property and perhaps your personal information.

Nissan recently touted remote climate control as a benefit to the LEAF -- but now it's a security risk

Nissan recently touted remote climate control as a benefit to the LEAF — but now it’s a security risk

To mitigate that, automakers are constantly evolving their telematics systems to make them more secure and keep hackers at bay. Some even have funds devoted to paying security professionals and hackers to report any found bugs or security loopholes, helping patch problems before they become public knowledge.

But yesterday, more than a month after reporting it to Japanese automaker Nissan, security researchers published details of a security flaw with the all-new NissanConnect EV telematics system used by Nissan in its Nissan LEAF and Nissan e-NV200 electric cars. What’s more, the security loophole is so mind-blowingly large that it’s theoretically possible for hackers to access every single Nissan electric car connected to the service, even if the damage they could do is relatively small.

There is at least, some comfort to that last statement: while this security flaw allows hackers to gain access to your car’s climate control and charging system, find out information pertaining to recent trips and even figure out what email address you use to log in to the telematics system, it doesn’t appear the system grants access to vehicle locks or in fact the precise location of your car.

This particular flaw is more an annoyance than anything else.

This particular flaw is more an annoyance than anything else.

Having verified the methods described below for ourselves on our own Transport Evolved Staff Nissan LEAF, we think it’s worth being grateful for such small mercies. If like us, you happen to own a Nissan LEAF, you’ll want to carry on reading, because while the flaw is more annoying than anything else, it’s a rookie mistake which is hardly reassuring for an automaker working on bringing autonomous vehicles to market in the next few years. And when paired with the wrong kind of circumstances, it could really ruin your day.

Enter Australian security researcher Troy Hunt, a Microsoft MVP for Developer Security, author and international speaker and his colleague, UK-based security researcher Scott Helme, who as it happens also owns a late 2014 Nissan LEAF.

As detailed in a blog posting, Hunt was recently in Norway running a special “Hack Yourself First” workshop designed to teach software developers how to best protect their applications and services from malicious online attacks when an attendee approached him on the second day of the conference. Explaining that he had used some of the tricks taught to him the previous day by Hunt, the attendee said that he had been able to intercept traffic from his NissanConnect EV smartphone app and believed he had found a security flaw with the API (Application Programming Interface) used by Nissan to operate the NissanConnect EV service.

Once the attendee — who has asked to remain anonymous — had figured out the easily-readable protocol used by the NissanConnect EV, he was not only able to connect to his own Nissan LEAF using https GET requests but also connect to other Nissan LEAFs too, simply by guessing the Vehicle Identification Number (VIN) of the car he wished to control.

Nissan is aware of the flaw and is working hard to fix it.

Nissan is aware of the flaw and is working hard to fix it.

How? We’ll explain in more technical detail below, but it boils down to an astonishingly poor omission on Nissan’s part: namely, connections to the NissanConnect EV system require just a VIN, not a username or password. Moreover, that’s true of status requests as well as commands such as turning the climate control on or off. And if you thought that a car’s VIN is hard to come by, you’d be wrong. Like most modern cars on sale today, the VIN for each and every Nissan LEAF is clearly visible from outside the car at the bottom of the car’s windscreen.

Once the VIN has been obtained, a hacker can remotely access your NissanConnect EV-enabled LEAF or e-NV200 from anywhere in the world, retrieve data about recent trips (although not GPS location data) remotely begin charging, or start and stop your car’s climate control. They can’t unlock the doors and they can’t switch the car on, but as Helme explained to us earlier today on the telephone, “a hacker could easily keep sending your car a remote climate control request every fifteen minutes to maliciously run your car’s battery down if it isn’t plugged in.”

What follows is more technical than we like to get here on Transport Evolved. But to explain things properly, we think on this occasion, this level of technicality is required. If you’re not technically minded, feel free to skip the next few paragraphs. If you are, read on.

With the discovery made, Hunt contacted Helme, who he knew also owned a Nissan LEAF. Together, the pair continued their research into the flaw, using both their own findings and publicly-available information already on sites like GitHub detailing how the NissanConnect EV system works.

Nissan's Carwings was buggy, but at least it had a security protocol that worked.

Nissan’s Carwings was buggy, but at least it had a security protocol that worked.

As regulars to the site will know, NissanConnect EV launched last year as a replacement to the notoriously unreliable Nissan Carwings system for electric cars. While offering the same level of functionality as one another to pre-2016 Nissan electric vehicles, Carwings and NissanConnect EV may connect to customers’ cars in the same way as one another, but use a completely different user-facing API to form as the bridge between an owner’s smartphone or computer and Nissan’s own servers.

With Carwings, Nissan generated a special authentication certificate upon login, which had to be transmitted each and every time a request was made of the XML SOAP API. While it was secure, it was the source of some frustration of developers who often called it a “pain to work with.”

Nissan’s new API by contrast, follows more contemporary methods of passing data from one device to another and, when examined in its original format, seems to ask for the usual login details that you’d expect of any securely-implemented service. But while those who have documented the API note that Nissan’s initial login process does indeed seem to securely transmit an owner’s NissanConnect EV username and password over https, subsequent requests do not.

The fault means hackers can access your LEAF's climate control.

The fault means hackers can access your LEAF’s climate control.

It’s something this author noted for herself this weekend, when playing with the documented API to create an IFTTT action for her own Nissan LEAF. Following the instructions posted on various GitHub pages, I was able to remotely log into carwings and, dutifully copying what I thought were the required parameters into an https GET request, was able to start charging as well as remotely start and stop climate control in our  Staff Car Nissan LEAF.

Yet, say Hunt and Helme, there’s no need for anything other than the VIN number to be sent to Nissan’s telematics servers. Indeed, there’s no need to log in either. Simply send the right VIN number request, and the NissanConnect EV servers will happily send the relevant request to that particular car.

To try it ourselves, we sent a request to one of our own Staff Car Nissan LEAFs, without first logging into Nissan’s system. Sure enough, the request was successful, and an email pinged up informing us climate control had been activated.

Unlike the previous Nissan Carwings telematics system which was secure if a little buggy, Nissan’s new system seems to have designed a security protocol but not actually implemented it.

How did this happen? It could have been the result of a conscious decision from management, incompetent, or malicious intent. Right now however, that’s not important. Patching the security flaw is, along with repairing the already damaged reputation of Nissan’s telematics system.

While the NissanConnect EV system in question has different endpoints (different servers) for each key market area, it seems that this particular flaw is present regardless of where in the world a customer’s car is. And while Troy said that he and Helme first contacted Nissan one month ago to notify it of the problem, they made the decision to publish details of the exploit yesterday later since the majority of information concerning the API — and which could lead someone else to find the exploit — was already in the public domain.

On the scale of one to ten, where one is a minor annoyance and ten is a major security flaw which would make using the car impossible, we’d have to say this particular security flaw is somewhere at the bottom of the scale.

In response to Transport Evolved, Nissan made the following statement:

Nissan is aware of a data issue relating to the NissanConnect EV app that impacts the climate control and state of charge functions. It has no effect whatsoever on the vehicle’s operation or safety.

Our global technology and product teams are currently working on a permanent and robust solution. We are committed to resolving the issue as a matter of priority, ensuring that we deliver the best possible experience for our customers through the app now and in the future.

Right now, it’s worth remembering that there is a risk that some malicious script-kiddie could slowly run down your car’s battery pack in the 8 hours while it’s parked at work every day just because they think it’s funny. Potentially, there’s a risk they could do something worse, although that’s unlikely.

There's a small risk you could be the victim of hackers -- until Nissan fixes the problem.

There’s a small risk you could be the victim of hackers — until Nissan fixes the problem.

Under Nissan’s own terms and conditions for its telematics system however, the automaker is pretty clear about its responsibilities for the service. As Helme noted in his conversation with us earlier today, Nissan original Carwings telematics service agreement laid things out in black and white.

“As between you and Nissan, you agree that you are solely responsible for any use of CARWINGS in your Electric Vehicle, even if you are not the one using it, and even if you later claim the use was not authorized,” it says.  “You are entirely responsible for any transaction with anyone in connection with your use of CARWINGS.”

Based on that, we’d suggest LEAF owners have two options right now: continue to use their car’s telematics system and hope nothing bad happens between now and when Nissan patches the flaw, or temporarily unregister their car from the system.

As with any developing story, we’ll be sure to bring you any updates as we have them.


Want to keep up with the latest news in evolving transport? Don’t forget to follow Transport Evolved on Twitter, like us on Facebook and G+, and subscribe to our YouTube channel.

You can also support us directly as a monthly supporting member by visiting Patreon.com.

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInDigg thisShare on RedditEmail this to someonePin on Pinterest

Related News

  • Greg

    One easy way to mitigate the risk of your traction battery pack being run down is to make sure you have setup email and/or text notifications for all climate control actions. This way, if someone does manage to remotely turn your climate control on without your knowledge or permission you can quickly login and shut it off, or, assuming you are relatively near your vehicle, as most of us are, go to the vehicle and start and stop the vehicle to disable the climate control. Personally, I think unregistering the vehicle is an overreaction. If you set notifications and find someone has access your vehicle, then I’d unregister until Nissan fixes things.

  • Great work by the security researchers writing up the issue with Nissan’s Connect API service, explaining the details, and providing context. Thanks.

    Think Nissan could fix the open access issue by allowing API acces responses ONLY to a “prior registered remote device” (mobile phone, or laptop computer … ie: the MAC IP address). Using a authenticed (new) service feature
    a LEAF owner could register a device that would be granted access to their LEAF. Requests from other sources could the be logged by Nissan Connect Seevices, and a legal text response to be sent to the requesting remote device; while no command message would be sent to the owners LEAF. Such a service update would NOT require update(s) to each LEAF; just the Nissan Connect service.

    FYI: It could be still possible for a 3rd party to connect to a LEAF … BUT a hacker would need to know a registered device (MAC address) and a VIN number. This would require much more effort to research and acquire; making it very unlikely that someone submitting random VIN numbers to the Connect API that would cause a command to be sent to that LEAF.

    Hopefully Nissan is following to this case and will respond quickly in a professional manor to address concerns. We are in the early days of connected vehicles and handling of these early issues could effect brand image.

    • Joe Viocoe

      Not as easy as that.
      1) Any change to the API would require a change to the mobile app. Not the car software, but certainly the app. But it is time consuming, since changing the API would likely break that functionally of the existing app version. The existing app version would not understand that it needs to authenticate first.

      2) Yes, it could be just as easy as requiring that a source IP to have authenticated beforehand. But the app doesn’t do this on its own currently. Which means the legitimate app users have to know they must try an authenticated action, like remote start/unlock… before trying AC functions. This means educating users. Not seamless, and kinda hacky.

      3) MAC addresses are not visible beyond a link-local connection. Nothing on the internet can see your MAC address, just your switch or Access Point. This is layer 2.
      Plus, MAC addresses are easy to sniff out of the air. Just place a battery powered sniffer (some phones can do this) near where you think the owner might be.

    • Joe Viocoe

      Yep, as I said… They had to shut down the app to make any changes.

Content Copyright (c) 2016 Transport Evolved LLC