A recently discovered vulnerability in the Nissan Leaf APIs (application program interfaces) could leave owners of the vehicles susceptible to attacks from anywhere in the world, according to a security researcher. The exploit allows anyone with the vehicle identification number number for a Leaf to access the
’s climate control settings as well as records of its recent trips.
The root of the problem stems from the APIs Nissan uses for its iOS and Android apps, which let owners check the state of their batteries, initiate recharging, check the estimated driving range, and turn their cars' climate systems on and off, according to Troy Hunt, the security researcher who discovered the flaw.
Built Without Security
The APIs used by the apps are open and unauthenticated, and as a result hackers can access those same features as long as they can connect to the Internet, Hunt said in a blog post.
“This API thing is just nuts,” said Scott Helme, another security researcher who worked with Hunt to analyze the vulnerability. “It's not even like they just missed auth or didn't check, it's actually not implemented. It was built, intentionally, without security.”
Hunt said that he has made multiple attempts to get Nissan to address the issue but the company has not yet issued a patch. “Clearly the answer is to implement appropriate authorization on all API calls, which, when building an app in the first place, would be a trivial feature to add,” Hunt said.
Security as an Afterthought
Despite the fact that the automaker has so far failed to issue a fix for the problem, Hunt praised the company’s behavior in responding to his discovery. He said that it was easy for him to reach the necessary individuals who made time to discuss the issue with him. Nevertheless, the severity of the problem along with the ease with which it can be exploited makes the problem a serious one. “Nissan need [stet] to fix this,” Hunt wrote on his blog.
While the vulnerability doesn’t allow hackers to gain access to the vehicle’s driving controls, “the ease of gaining access to vehicle controls in this fashion doesn’t get much easier -- it’s profoundly trivial," he said. "As car manufacturers rush towards joining in on the 'Internet of things' craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place.”
Until the company patches the vulnerability, Hunt said that the only way for Nissan Leaf owners to be safe is for them to unregister the NissanConnect EV app that uses the APIs. While the exploit isn’t life threatening, a malicious hacker could use the APIs to learn personal information about a Leaf owner, or even drain the battery while the vehicle is parked by turning on the heating system, potentially leaving the owner stranded.
Image Credit: Nissan.
May Interest You:
New cars come equipped with safety systems. But how about all the other cars that are more than a year old? No worries... There are plenty of car safety features that are available, affordably, for ALL cars, not just new ones.
See products that are available for YOUR car at: Make My Car Safe, the premium online seller of car safety products for ALL cars.