Nissan LEAF / NissanConnect EV severe security vulnerability

My Nissan Leaf Forum

Help Support My Nissan Leaf Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.

fahed2000

New member
Joined
Feb 21, 2016
Messages
3
Anyone seen this article on BBC News
http://www.bbc.co.uk/news/technology-35642749
Apparently some Nissan Leaf vehicle's can be hacked via car wings as shown on http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html?m=1

MODERATORS NOTE:
Multiple threads merged. Will be updating this post with instructions on how to secure yourself until Nissan fixes this severe security vulnerability.

Update 2/24/16 19:00 PDT: It's been reported that Nissan has disabled the API blocking the issue for now.

Summary:

There is a severe vulnerability in NissanConnect EV which allows one to access your account using only your VIN. Once in, this user can issue any command to your car that you would be able to, as well as view your historical data. If you have not registered or set up your vehicle, you are not vulnerable.

How to secure yourself and your vehicle:

The only known way to secure access to your vehicle is to disable NissanConnect EV until Nissan fixes this issue. It appears that the only way to do this is through the Nissan website. If you have made your VIN public, such as through your profile on this site, recommend you remove it.

US LEAF Owners:
Go to the US site and log in: https://www.nissanusa.com/nowners/
Select "Manage Vehicle" and click "Decline" for the NissanConnect EV Agreement.
Alternatively, you can "Delete Vehicle", which will delete all your driving history!

UK LEAF Owners:
Go to the UK site and log in: https://www.nissan.co.uk/GB/en/YouPlus/welcome_pack_leaf.html
Select "Configuration" and Click the "Remove CarWings".

Canadian, French, Norwegian owners are also confirmed as vulnerable. One should assume that all LEAF telematics systems are vulnerable.
 
Post says it all...

Once someone has your VIN, they basically have full access to all Carwings features and data.

http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
 
Don't worry! Nissan will fix it within 5 years. This is how long it took to make Carwings into a thing that works (NissanConnect EV).
 
arnis said:
Don't worry! Nissan will fix it within 5 years. This is how long it took to make Carwings into a thing that works (NissanConnect EV).

The fix is already coming later this year, at least in the US: http://mynissanleaf.com/viewtopic.php?f=31&t=21522

:D
 
Hello,

This was just posted - another case of car manufacturers/non-high-tech industry not following best practices WRT security:

http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html?m=1

Teaser:
We elected for me to sit outside in a sunny environment whilst Scott was shivering in the cold to demonstrate just how remote you can be and still control feature of someone else’s car, literally from the other end of the earth.

Hope Nissan figure this out, although it's nothing like the remote-control-brakes-off story about Chrysler:
http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/

Cheers from 2016,
Tal
 
...and in case there are any anti-free-speech chest-beating types, here's the authors description of his good-faith contacting Nissan before publicly disclosing this very obvious, gaping security hole:

Disclosure timeline
I made multiple attempts over more than a month to get Nissan to resolve this and it was only after the Canadian email and French forum posts came to light that I eventually advised them I’d be publishing this post. Here’s the timeline (dates are Australian Eastern Standard time):

23 Jan: Full details of the findings sent and acknowledged by Nissan Information Security Threat Intelligence in the U.S.A.
30 Jan: Phone call with Nissan to fully explain how the risk was discovered and the potential ramifications followed up by an email with further details
12 Feb: Sent an email to ask about progress and offer further support to which I was advised “We're making progress toward a solution”
20 Feb: Sent details as provided by the Canadian owner (including a link to the discussion of the risk in the public forum) and advised I’d be publishing this blog post “later next week”
24 Feb: This blog published, 4 weeks and 4 days after first disclosure
All in all, I sent ten emails (there was some to-and-fro) and had one phone call. This morning I did hear back with a request to wait “a few weeks” before publishing, but given the extensive online discussions in public forums and the more than one-month lead time there’d already been, I advised I’d be publishing later that night and have not heard back since. I also invited Nissan to make any comments they’d like to include in this post when I contacted them on 20 Feb or provide any feedback on why they might not consider this a risk. However, there was nothing to that effect when I heard back from them earlier today, but I’ll gladly add an update later on if they’d like to contribute.

I do want to make it clear though that especially in the earlier discussions, Nissan handled this really well. It was easy to get in touch with the right people quickly and they made the time to talk and understand the issue. They were receptive and whilst I obviously would have liked to see this rectified quickly, compared to most ethical disclosure experiences security researches have, Nissan was exemplary.
 
reading through this, the only way to really stop this is to terminate your EVConnect agreement and decline the terms of service.
I contacted Nissan support and they can do it for you or you can login on the webpage to do it yourself.
The only real information I got from Nissan was a canned statement about how much they care about security etc etc.
Obviously not enough to actually code the service to be secure, but they really do care, honest.

The sad part is that there probably is security between the car and the nissan datacenter, but zero security on the customer facing side.
The only reason they use the vin is so they know its the right car, there are no other checks at all - pathetic.
 
MODERATORS NOTE: I have merged all the redundant threads and will be updating the first post on how to secure yourself and a tl;dr; of the siutation shortly.
 
I have updated the first post with a summary and how to protect yourself.

I haven't seen any other way to disable access for USA vins. If anyone wants to post info on how to protect yourself for other countries or has suggested edits, please post them.

I also recommend that owners remove their partial VIN and delivery date from their profile as well.
 
fahed2000 said:
How to secure yourself and your vehicle:

The only known way to secure access to your vehicle is to disable NissanConnect EV until Nissan fixes this issue. It appears that the only way to do this is through the Nissan website. If you have made your VIN public, such as through your profile on this site, recommend you remove it.

US LEAF Owners:
Go to the US site and log in: https://www.nissanusa.com/nowners/
Select "Manage Vehicle" and "Delete Vehicle".
Note that this will delete ALL your driving history!

Couldn't you just edit your vehicle and click 'Decline' to the NissanConnectSM EV Agreement? This gives a message saying:

You will also be missing out on key Nissan LEAF™ functionality:
Updating and monitoring your vehicle's status
Turning vehicle's charge on remotely
Activating and deactivating the climate control
Receiving map updates for new charge stations via the navigation system
Choose "Confirm" to opt out of the NissanConnectSM EV agreement and be taken to a feature-limited My Nissan homepage.

then you won't lose your driving history.
 
I just did it on my own car in US to confirm. This is insanely scary and easy to do (took me 2 minutes). I wouldn't even call this a hack. It's going to a web page. I'm a software developer and am shocked at how amateurish this is. They even accept user id and pw credentials via plain text in the querystring!!!! To turn on climate control I didn't even have to authenticate! Nissan should shutdown their server for now and break Nissan Connect until they fix this.

Fix would be easy and take someone with any (decent) bit of coding knowledge only a couple days to fix. Heck, even a simple register your device w/ random key would be more secure than this garbage.
 
brian0123 said:
I just did it on my own car in US to confirm. This is insanely scary and easy to do (took me 2 minutes). I wouldn't even call this a hack. It's going to a web page. I'm a software developer and am shocked at how amateurish this is. They even accept user id and pw credentials via plain text in the querystring!!!! To turn on climate control I didn't even have to authenticate! Nissan should shutdown their server for now and break Nissan Connect until they fix this.

Fix would be easy and take someone with any (decent) bit of coding knowledge only a couple days to fix. Heck, even a simple register your device w/ random key would be more secure than this garbage.

Yeah, it surprised me how trivial the hack is. I agree that Nissan should shut down their servers until it's fixed.
 
Great combination of absurd non-existant security measures and lack of OTA updates.

I hope this will cost Nissan some money, because that seems to be only way to motivate many corporations, to implement better security.

Edit: it took me under 2 minutes to try this on Leaf, which local dealer has for sale.... :roll:
 
I just called Nissan to complain. Sounded like they hadn't heard much about it and told them to have their devs call me back if they had questions. I suggest you all call and demand that they at least take the servers down for now. As it stands right now anyone could write a script to turn on all climate control systems for every single leaf around the world. Cars sitting on dealer lots w/ their VINs posted on dealer websites are vulnerable now.
 
brian0123 said:
I just called Nissan to complain. Sounded like they hadn't heard much about it and told them to have their devs call me back if they had questions. I suggest you all call and demand that they at least take the servers down for now. As it stands right now anyone could write a script to turn on all climate control systems for every single leaf around the world. Cars sitting on dealer lots w/ their VINs posted on dealer websites are vulnerable now.
I agree.

Its so easy to create such script, that its not even funny - I would be very surprised, if it wont happen in the next few hours. In comments of articles about this I already spoted a few "this is how such script would look like"..... posted examples were incomplete, but it would be super easy to either finish them, or just write whole script.
 
Back
Top