Nissan LEAF / NissanConnect EV severe security vulnerability

My Nissan Leaf Forum

Help Support My Nissan Leaf Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
dhanson865 said:
Has anyone tried this on a US VIN? The article mentions Canada, France, Norway, but no US.
Click to expand...


yes, I have a prior URL to turn on my climate control with two arguments: DCMID and VIN. DCMID is derived from the username and password with another URL. It appears that leaving the DCMID blank in the URL still turns on my climate control. This is a mess. All the posted VINs are vulnerable.
 
jfiveash said:
dhanson865 said:
Has anyone tried this on a US VIN? The article mentions Canada, France, Norway, but no US.
Click to expand...


...... All the posted VINs are vulnerable.
Click to expand...
All VINs are vulnerable - attacker doesnt have to target specific VIN, but go for all VINs or certain range of VINs .
 
While the news is clearly shocking, can someone enlighten me please why I should be freaking out over this? That my climate control may run for 15 minutes or someone finds how much time I spent in LA traffic this morning on my way to work? Meh.
 
Valdemar said:
While the news is clearly shocking, can someone enlighten me please why I should be freaking out over this? That my climate control may run for 15 minutes or someone finds how much time I spent in LA traffic this morning on my way to work? Meh.
Click to expand...

You live in California, maybe you never go to the mountains. So at 70F who cares.

Now try that at 32F or 0F when you need every KW to get home on a 50 mile trip and someone randomly drains half your pack charge. Keep in mind the preheat/precool defaults to 75F and can't be changed so if it is cold outside the heat will come on.

You come back to a car that doesn't have enough range to make it home so you have to charge on a L1 or L2 or whatever you have until you get back your half a pack of charge and you have to sit there and make sure they don't do it again unless you have a heater off mod switch like the one in
http://www.mynissanleaf.com/viewtopic.php?t=20446
 
Valdemar said:
While the news is clearly shocking, can someone enlighten me please why I should be freaking out over this? That my climate control may run for 15 minutes or someone finds how much time I spent in LA traffic this morning on my way to work? Meh.
Click to expand...
If (when) someone bothers to write relevant script, they can mess with all LEAFs, that have remote operations enabled - repeatedly diasabling your cars charging, turning on heating etc.

I hope, that Nissan just shut down their server, untill they fix it.
 
All a malicious hacker has to do is sent a string of VINs every 20 minutes or so and your HVAC will stay on continuously and eventually run down your battery if the car is not charging... It more an indication of how incompetent Nissan is than it is a real, serious problem...

Valdemar said:
While the news is clearly shocking, can someone enlighten me please why I should be freaking out over this? That my climate control may run for 15 minutes or someone finds how much I spent in LA traffic this morning on my way to work? Meh.
Click to expand...
 
Rebel44 said:
Valdemar said:
While the news is clearly shocking, can someone enlighten me please why I should be freaking out over this? That my climate control may run for 15 minutes or someone finds how much time I spent in LA traffic this morning on my way to work? Meh.
Click to expand...
If (when) someone bothers to write relevant script, they can mess with all LEAFs, that have remote operations enabled - repeatedly diasabling your cars charging, turning on heating etc.

I hope, that Nissan just shut down their server, until they fix it.
Click to expand...

They can start a charge session remotely but they can't stop it. There is nothing in the API to stop a charge session.
 
One possibly mitigating point I didn't see discussed in the article is if it is known that Nissan has some sort of "rate limit" on how often requests can be made, either by a specific IP address or to a specific VIN.

On the positive side, I've considered Carwings/Nissan Connect to be broken and nearly useless anyway - maybe this will be the incentive they need to actually fix it and make it useful?
 
dhanson865 said:
Rebel44 said:
Valdemar said:
While the news is clearly shocking, can someone enlighten me please why I should be freaking out over this? That my climate control may run for 15 minutes or someone finds how much time I spent in LA traffic this morning on my way to work? Meh.
Click to expand...
If (when) someone bothers to write relevant script, they can mess with all LEAFs, that have remote operations enabled - repeatedly diasabling your cars charging, turning on heating etc.

I hope, that Nissan just shut down their server, until they fix it.
Click to expand...

They can start a charge session remotely but they can't stop it. There is nothing in the API to stop a charge session.
Click to expand...
OK, at least some good news. Still, this could quicly become pretty annoying to many users.
 
"Decline" button seems to work fine, as posted by gsleaf.

I probably won't bother to turn NissanConnect EV back on again; it's going to break in December of this year anyway when AT&T shuts down 2G cellular service.

Regarding the comments about turning on my AC or heater every 20 minutes... why would a hacker need to do that? If I turn it on via the Nissan app, it stays on for at least an hour. I've never seen it time out. Maybe they're confusing this with the timers you can set in the car. Those only run the HVAC for fifteen minutes before they turn it off.

-Karl
 
Is there a fuse that can be pulled to simply disable the telematics connection until this issue is resolved?

Disabling the account via the web might be OK, but myself, I'd prefer a hardware solution.
 
Valdemar said:
While the news is clearly shocking, can someone enlighten me please why I should be freaking out over this? That my climate control may run for 15 minutes or someone finds how much time I spent in LA traffic this morning on my way to work? Meh.
Click to expand...
Meh, its not like anyone could use that information along with your username and past driving data to locate you and learn when you're not home. You probably post on Facebook when you go away on vacation and pictures of the inside of your house too...
dhanson865 said:
They can start a charge session remotely but they can't stop it. There is nothing in the API to stop a charge session.
Click to expand...
Well, just because Nissan did not build in a feature into its Carwings/Nissan Connect app for end users (Customers) does not mean there are not undocumented commands that the car would respond to if they were sent from the server. But they might be discovered now....

This is just one more example that points to the need for pressure to be placed on companies about securing internet connected vehicles and one more reason I'm glad my car is not so connected
 
jpadc said:
Valdemar said:
While the news is clearly shocking, can someone enlighten me please why I should be freaking out over this? That my climate control may run for 15 minutes or someone finds how much time I spent in LA traffic this morning on my way to work? Meh.
Click to expand...
Meh, its not like anyone could use that information along with your username and past driving data to locate you and learn when you're not home. You probably post on Facebook when you go away on vacation and pictures of the inside of your house too...
Click to expand...

Are you asking if I'm paranoid? Sometimes, but not in this case. I'm more concerned about crooks who just scan the neighborhoods from their cars.
 
jpadc said:
dhanson865 said:
... There is nothing in the API to stop a charge session.
Click to expand...
Well, just because Nissan did not build in a feature into its Carwings/Nissan Connect app for end users (Customers) does not mean there are not undocumented commands that the car would respond to if they were sent from the server. But they might be discovered now....
Click to expand...
Awesome!!
That would be great info to have!!!
But there's probably something bad that could happen as well, right? ;-)

desiv
 
DNAinaGoodWay said:
Valdemar said:
Rebel44 said:
... Still, this could quicly become pretty annoying to many users.
Click to expand...

I'll take an action when it starts to annoy me personally, chances are Nissan will patch this hole before that.
Click to expand...

+1. I'll get a text if the CC starts up, I can always disconnect then.
Click to expand...

There is one caveat, they probably can disable notifications via API prior to messing with your Leaf ;)
 
kolmstead said:
...

Regarding the comments about turning on my AC or heater every 20 minutes... why would a hacker need to do that? If I turn it on via the Nissan app, it stays on for at least an hour. I've never seen it time out. Maybe they're confusing this with the timers you can set in the car. Those only run the HVAC for fifteen minutes before they turn it off.

-Karl
Click to expand...

2012 Leaf manual, Page 4-12, Remote Climate Control section:

The climate control can be operated for a
maximum of 2 hours when the charge
connector is connected to the vehicle, or a
maximum of 15 minutes when the charge
connector is disconnected.
Click to expand...

Is it different on newer Leafs?
 
Valdemar said:
DNAinaGoodWay said:
Valdemar said:
I'll take an action when it starts to annoy me personally, chances are Nissan will patch this hole before that.
Click to expand...

+1. I'll get a text if the CC starts up, I can always disconnect then.
Click to expand...

There is one caveat, they probably can disable notifications via API prior to messing with your Leaf ;)
Click to expand...

Right! Thanks. I just went out and hit decline to disconnect and it took a couple tries because the system was busy. I guess a lot of us are doing that right now.
 

Similar threads

E
Seeking Assistance: Battery Issue with Nissan Leaf 2018
Replies
5
Views
332
Everon2024
E
C
App for checking EV Range and Battery Health
Replies
4
Views
5K
DougWantsALeaf
D
P
"Nissan Connect EV & Services" app compatible with 2022 S Plus ?
Replies
1
Views
2K
LeftieBiker
L
F
NissanConnect EV won't connect - 2018 Leaf SL
Replies
11
Views
3K
Falcon73
F
G
Nissan Connect DEAD... BUT still can get Station Updates?
2
Replies
21
Views
5K
cwerdna
C

Latest posts

Back
Top