Internet of Things (Nissan LEAF) – Be Afraid, Be Sore Afraid

Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs

From the post:

Last month I was over in Norway doing training for ProgramUtvikling, the good folks who run the NDC conferences I’ve become so attached to. I was running my usual “Hack Yourself First” workshop which is targeted at software developers who’d like to get up to speed on the things they should be doing to protect their apps against today’s online threats. Across the two days of training, I cover 16 separate discrete modules ranging from SQL injection to password cracking to enumeration risks, basically all the highest priority security bits modern developers need to be thinking about. I also cover how to inspect, intercept and control API requests between rich client apps such as those you find on a modern smart phone and the services running on the back end server. And that’s where things got interesting.

One of the guys was a bit inspired by what we’d done and just happened to own one of these – the world’s best-selling electric car, a Nissan LEAF:

Nissan-Leaf2

What the workshop attendee ultimately discovered was that not only could he connect to his LEAF over the internet and control features independently of how Nissan had designed the app, he could control other people’s LEAFs. I subsequently discovered that friend and fellow security researcher Scott Helme also has a LEAF so we recorded the following video to demonstrate the problem. I’m putting this up front here to clearly put into context what this risk enables someone to do then I’ll delve into the details over the remainder of the post:

Troy Hunt, located in Australia, controls a Nissan LEAF located in Norther England via a web browser.

Heater on/off, driving (trip) history), nothing more serious but worldwide accessibility via a VIN number is an odd design decision.

You won’t be able to try this on as Nissan is reported to have taken the service offline as of 25 February 2016.

Don’t be too disappointed. Bad design and implementation decisions are repeated over and over again. Perhaps you will find the next one first.

Comments are closed.