Hacked: Hacking Finance

Hacked: A Nissan Leaf via its Own App, Halfway around the World

Introduction

Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.


LATEST POSTS

Alleged FBI Hacker Lauri Love Ordered to US Extradition by UK Home Secretary 15th November, 2016

The Largest Breach of 2016: 412 Million FriendFinder Accounts Exposed 14th November, 2016

Cybersecurity

Hacked: A Nissan Leaf via its Own App, Halfway around the World

Posted on .

A security researcher has exposed a security flaw in one of the world’s most popular cars, the Nissan Leaf. The exploit takes advantage of a vulnerability through the car’s own application to take control of the car’s functions and journey logs.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Australian security researcher Troy Hunt began his experiment by testing a Nissan Leaf belonging to a fellow security researcher in the UK. He was able to ascertain the VIN (vehicle identity number) easily enough and with it, Hunt was able to turn on the air conditioning and heating systems of the fully electric vehicle.

The vulnerability and the exploit are explained in Hunt’s blog here.

Fundamentally, the vulnerability exists due to unsecured mobile management APIs supplied by Nissan. This glaring vulnerability allows hackers to gain access to non-critical features such as battery charge management of the electric vehicle and climate control via the Nissan Leaf companion application, from anywhere in the world with a basic internet connection.

Somewhat alarmingly, the only piece of information that a malicious hacker would need to mess with a target’s climate control systems or peek into the vehicle’s travel journey logs is the VIN. The alphanumeric string can easily be found stenciled onto a car’s windscreen. Furthermore, hackers would not even need to use the application to run commands remotely. A web browser is all that’s required to initiate commands, the researchers discovered.

Through repeated testing, the researchers determined that the remote hack only worked when the Leaf was dormant and found that the exploit did not work while the car was in motion. However, the owner’s username could still be obtained due to the unsecured APIs, a security hole that could lead to the reveal of the target’s identity.

Speaking to the BBC, Hunt explained:

It’s not that they have done authorization [on the companion app] badly, they just haven’t done it at all, which is bizarre.

The entire video demonstrating the exploit can be seen below:

For its part, Nissan has claimed that it is aware of the vulnerability and that its security engineers are working on a “permanent and robust solution.” The carmaker added that the exploit does not have any effect on the vehicle’s motor functions or safety.

Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

DON'T MISS OUT

Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.

There are no comments.

View Comments (0) ...
Navigation
Comodo Threat Research Labs, a provider of computer software and SSL…