ObiQuiet
Well-known member
Have any of you confirmed that deleting the car from the Carwings portal and/or declining the ToS stops the API form working?
Nissan LEAF / NissanConnect EV severe security vulnerability
- Thread starter fahed2000
- Start date
Help Support My Nissan Leaf Forum:
DNAinaGoodWay
Well-known member
ObiQuiet said:
Well, I can't connect with the app now. But maybe Nissan shut down the service.
Nubo
Well-known member
paulcone
Active member
http://www.usatoday.com/story/tech/news/2016/02/24/nissan-disables-app-hacked-electric-leaf-smart-phone-troy-hunt/80882756/
Wow, this is timely. I just bought a 2015 Leaf SV on Saturday. I attempted to login to carwings on Monday, but kept getting the "No Service" message. A call to support told me to bring it in to the dealer because they would have to reset the TCU in order for it to work. I was going to drop it off tomorrow morning until I found this news. I was really looking forward to being able to use the carwings features. Bummer!
DavidGreene
Member
- Joined
- Jan 20, 2016
- Messages
- 10
bjm2020 said:
You're really not missing much. I don't use it much at all.
As a professional software engineer, I'm utterly ashamed something this poorly conceived would even be considered for release into the wild. Did no one at Nissan recognize the obvious implications of remote control without authentication?
I suspect the main problem is that the service was built by a number of companies (every country appears to have their own website with different user-interfaces - all of which must interface with the API) to whom Nissan outsourced the project to who promised the world for a dollar and then delivered half-tested crap for two.DavidGreene said:
The crazy thing is that I bet any number of software engineers on this site could have built an API with much better performance and security for a fraction of whatever Nissan paid.
DCelectric
Member
- Joined
- Feb 18, 2016
- Messages
- 8
Thanks for the heads up! I just bought a used 2013 Leaf, and haven't created a NissanConnect EV account. I'm just thinking - if the person before me had an account then it would be possible for someone to still hack the car with the vin, yeah? I guess I should called NissanConnect directly. Anyone else in this situation?
cwerdna
Well-known member
Access via their smartphone app is now disabled. I confirmed this via their iOS and Android app. Presumably, they disabled any access that didn't come from the appropriate domains/source IP addresses (e.g. wherever the requests come from when you interact w/the NissanConnect site).DCelectric said:
When you take possession of a used Leaf, you should call Nissan's Carwings...err NissanConnect support # to take over the account. They'll need documentation such as a receipt/bill of sale as proof that you're the new owner. I had to go thru this when it was still called Carwings.
If the other person didn't remove themselves and Nissan didn't do it, it's likely they can still do stuff via the NissanConnect site. It's not like there's that much functionality though...
Only https://gdcportalgw.its-mo.com/ is responding with a "200 OK" return code. All other URLs on that server are returning "404 Not Found". I fully expected the stop gap "fix" to be as hokey as the API itself.cwerdna said:
cwerdna
Well-known member
As I've said to others many times (maybe not here), automakers aren't generally very good at writing software.
Even w/major and well-known software companies, there are those who will say they also aren't any good at that either... so to expect an automaker, where software isn't their bread and butter nor their core competency to be good...
The same goes for suppliers to automakers. I doubt many people will point to these (as examples) companies and say "wow! These guys are leaders in writing great secure software and w/great UI!": ZENRIN DataCom, Clarion, Bosch, Denso, Alpine, Pioneer, Fujitsu Ten/Eclipse, Panasonic, etc.
Even w/major and well-known software companies, there are those who will say they also aren't any good at that either... so to expect an automaker, where software isn't their bread and butter nor their core competency to be good...
The same goes for suppliers to automakers. I doubt many people will point to these (as examples) companies and say "wow! These guys are leaders in writing great secure software and w/great UI!": ZENRIN DataCom, Clarion, Bosch, Denso, Alpine, Pioneer, Fujitsu Ten/Eclipse, Panasonic, etc.
jpadc
Well-known member
They sure got it disable fast once this was made public. Makes you think there is some additional unpublished functionality not available in the public app, but available for sending to the car from the server. For example, given how many of these cars are owned by Nissan's own leasing company I would think that hidden commands might include reporting the car's current GPS location as part of a loss recovery program. The sent data includes the car's GpsDateTime, likely its set up to report GpsLocation as well. Given their plans for the future, I suspect there is lots more built into the latest LEAFs that's just not yet publiccwerdna said:
Speaking of those plans for its Connect Telematics Systems (CTS) systems, this quote seems almost funny now... "Nissan selected Azure because of its enterprise-grade security and compliance."
cwerdna
Well-known member
Indeed. It's quite possible. Then again, they've gotten enough bad PR already, that it's probably best for them to disable, figure out what to do and fix it before they get more bad press and customer support calls.jpadc said:
LOL. But, the current issue has little or nothing to do w/Azure's security and authentication. One can write and run plenty of insecure stuff on one's own machines or someone else's cloud service.jpadc said:
jpadc
Well-known member
I'm sure there are many customers that use NissanConnect that have not seen this info. How are they informing customers its been disabled? Seems like if they don't, they will get some calls...cwerdna said:
I write software for a living (huge financial and healthcare) and based on what I saw in the visible API's and practices used it reminds me of crap we used to get from offshore. Yes, flaw wasn't life threatening... but now makes me wonder about the code powering the Leaf itself and what type of QA was done. I hope Nissan provides more information and reassurances that they will review and improve their coding practices currently in place.
JPWhite
Well-known member
With the vast majority of LEAF's having a 2G based telematics system I doubt many of us will see CarWings/NissanConnect functional again. Ever.
(2G will be killed by AT&T by the end of this year).
(2G will be killed by AT&T by the end of this year).
arnis
Well-known member
I'm sure there are other service providers that have 2G available for longer.
Just SIM card swap should do the trick if integrated card is AT/T locked.
Also if network is closed before warranty ends (5 years) and Nissan
shows middle finger there will be class action lawsuit. Terms might mention
that Nissan is not responsible but in reality they are. Nissan chose not to use
3G chipset even though it was available long before first Leaf rolled out.
Why? Because when you buy a vehicle you expect (and that is totally acceptable)
that equipment vehicle has is working until warranty ends. And one of those things
(in addition to radio, camera, seat heaters etc) is telematics.
Just SIM card swap should do the trick if integrated card is AT/T locked.
Also if network is closed before warranty ends (5 years) and Nissan
shows middle finger there will be class action lawsuit. Terms might mention
that Nissan is not responsible but in reality they are. Nissan chose not to use
3G chipset even though it was available long before first Leaf rolled out.
Why? Because when you buy a vehicle you expect (and that is totally acceptable)
that equipment vehicle has is working until warranty ends. And one of those things
(in addition to radio, camera, seat heaters etc) is telematics.
Valdemar
Well-known member
My bet is that a SIM card from another provider won't work, Nissan is likely using an ATT provided SMS gateway that won't allow out of network messaging. Also I suspect the VIN to mobile number association is hardwired and stored on Nissan servers.
arnis
Well-known member
VIN to number is definitely stored by Nissan.
Changing sim will not be necessary until AT/T drop 2G. But as soon as that happens
Mr. judge might force Nissan fixing problem fast including changing VIN-number link.
Changing sim will not be necessary until AT/T drop 2G. But as soon as that happens
Mr. judge might force Nissan fixing problem fast including changing VIN-number link.
