Nissan Leaf hackable through insecure APIs

Anyone anywhere can access unauthenticated APIs exposed by the car turn climate control on and off, access driving records.

Security researchers Scott Helme and Troy Hunt have demonstrated vulnerabilities in the Nissan Leaf remote management APIs that allow anyone with the VIN number of the car to access certain features of it from anywhere across the Internet.

The attack is described in a blog post by Hunt and shown in the embedded video below. Hunt lives in Australia and Helme in the north of England, over 10,000 miles apart, underscoring the 'remoteness' of the remote attack.

Nissan has a mobile app for Apple and Android devices to allow customers to access these features. Inspired by security training he had with Hunt, Helme investigated the programming of his Nissan Leaf and found the APIs it uses open and unauthenticated. The key is absent the car turned off during the attack.

As IoT takes center stage at CES 2016, security gets lost in the wings

Now more than ever, toymakers and smart home device manufacturers have to put security first.

The documented features are limited; the app allows users to:

  • Check state of battery charge
  • Start charging
  • Check when battery charge will complete
  • See estimated driving range
  • Turn on or off the climate control system

There are no obviously dangerous APIs like "ReleaseBreaks" but these are only the APIs used by the documented parts of the app. There may be others.

All Nissan Leafs share a VIN prefix of "SJNFAAZE0U60" with the last 5 characters unique for each. To access the APIs you need to know the full VIN.

Hunt says he informed Nissan of the vulnerability on January 23. They have acknowledged it and say they are working on a solution, but haven't released one yet.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All