back to article Don't take a Leaf out of this book: Nissan electric car app has ZERO authentication

What started as a live demonstration with a student during a training conference has turned to scarlet-faced embarrassment for Nissan: its Leaf 'leccy shopping carts cars come with an unsecured app for checking the charge state and operating the air-con. Troy Hunt, the Microsoft security bod best known for helping hack victims …

  1. Christian Berger

    Don't put microcomputers into cars...

    I know we all have been promised KITT, but in reality it only leads to exhaust scandals and car hacking.

    Though the car hacking part was already predicted in the 1980s.

    https://www.youtube.com/watch?v=kDMLPvBWvpo

    This video is in German, but shows off the hacking parts better:

    https://www.youtube.com/watch?v=nNKS1rzPkA8

    1. RIBrsiq
      Facepalm

      Re: Don't put microcomputers into cars...

      Horses! We should never have stopped using horses for transport.

      Actually, walking is best, now that I think of it...

      1. AndrewV

        Re: Don't put microcomputers into cars...

        Life was much better before flagella.

        1. Neil Barnes Silver badge
          Coat

          Re: Don't put microcomputers into cars...

          Flagella? Just the thing for beating a dead horse...

          1. Ragarath

            Re: Don't put microcomputers into cars...

            Flagella? Just the thing for beating a dead horse...

            A very, very, small horse?

            1. hplasm
              Coat

              Re: Don't put microcomputers into cars...

              "A very, very, small horse?"

              Have ypu seen the size of the flagella on that...!

            2. oddie

              Re: Don't put microcomputers into cars...

              "A very, very, small horse?"

              -or just one that is far far away?

              1. MyffyW Silver badge

                Re: Don't put microcomputers into cars...

                Flagella?

                I used to like her cookery programmes...but I've always had a thing for curvy girls.

                1. Winkypop Silver badge

                  Re: Don't put microcomputers into cars...

                  Our molecules should never have left the primordial slime...

                  1. Vladimir Plouzhnikov

                    Re: Don't put microcomputers into cars...

                    Oh, c'mon... Our atoms should never have left that nova cloud, in the first place!

                    1. MyffyW Silver badge

                      Re: Don't put microcomputers into cars...

                      @Vlad - Oh, c'mon... Our atoms should never have left that nova cloud, in the first place!

                      Whilst life as a free electron sometimes sounds idyllic, I'm very happy orbiting a nice plump proton.

  2. redpawn

    And...

    We will soon have self driving cars!

    1. Oengus

      With these security issues the self driving car may come sooner than expected (or it may appear to be self driving). Just don't expect a good outcome from the car driving itself.

      I seem to remember videos of a car driving in circles because of an issue in the transmission (https://www.youtube.com/watch?v=uxGlIFlZ0CI is similar).

    2. Steve Davies 3 Silver badge
      Thumb Down

      Re: And...

      That will be hacked and .... crash, bang, wallop. Opps.

      Please.... Stop the world, I wanna get off.

    3. Anonymous Coward
      Anonymous Coward

      Re: And...

      Which will get hacked, drive you to some dark alley where you'll be robbed etc etc

  3. Adam 1

    Updating the smartphone app is the easy part. Both play and apple store will push the notification to your phone and you press install. Simples!

    The hard bit is upgrading the firmware in the leaf itself to authenticate the various API calls. At least, I really hope that involves a trip to Nissan with a USB cable in hand and not some other unauthenticated API to reflash things.. .

    1. Adam 52 Silver badge

      I don't think there's any suggestion in either this article or the BBC one that the car itself is insecure, just the app authenticating to Nissan's web site. If that's the case then no need to patch the car. Equally there's no evidence that the car is secure, and given what we now know it's easy to think it might not be.

      1. Hairy Spod

        no, its not just the app.

        All you needed (before Nissan pulled the plug) was the VIN which is visbile under the windscreen to a passer by and the script which could be run from any computer.

        1. Old Handle

          I think Adam is saying that the app talks to a Nisson server, not directly to the car, so only the app and the server need an update to add some security. Hopefully they weren't equally bone-headed when they designed the protocol the cars uses to talk to HQ.

          1. This post has been deleted by its author

  4. RIBrsiq

    "[...] turned up the utter security-we've-heard-of-it howler".

    I don't think they have actually heard of it.

    If you have any evidence that proves me wrong, please present it.

    1. Michael H.F. Wilkinson Silver badge

      They almost certainly have heard of the word. The meaning is another matter, it seems

      Double facepalm time again

  5. allthecoolshortnamesweretaken

    I call executive decision to safe money (in the short term)!

  6. Adam 1

    alternative fix?

    Might be cheaper to rebrand as Nissan leak

    /I'll grab my coat.

    1. Scott Broukell

      Re: alternative fix?

      Or, indeed, the Nissan Fig Leaf.

      / I've got your coat 'ere along with mine.

    2. Adam 1

      Re: alternative fix?

      We'll need them. Some bastard's flicked on the air con again.

  7. Voland's right hand Silver badge

    VIN is on the front window in Europe

    Just walk down the street and nuke the battery of every Nissan you see.

    1. imanidiot Silver badge
      Facepalm

      Re: VIN is on the front window in Europe

      I was thinking the same thing while reading the article. The VIN is (semi)public as it's right there under the windshield (required by EU law afaik). This is not even security by obscurity.

      1. Nigel 11
        Coat

        Re: VIN is on the front window in Europe

        Insecurity by transparency?

    2. DropBear

      Re: VIN is on the front window in Europe

      "VIN is on the front window in Europe "

      Certainly not on my car - or any car I've seen...

      1. Anonymous Coward
        Anonymous Coward

        Re: VIN is on the front window in Europe

        It's been there on every car I've had since 1994 and my job used involve counting cars/checking VIN numbers. Not sure it's required by law but it's a good first check although if I was buying second hand I'd always check the proper VIN plate which will be elsewhere on the car as the windscreen one would be much easier to change.

      2. Old Handle

        @DropBear

        Are you sure you just haven't noticed? Assuming the format is anything similar to in the US, it's fairly discreet. It's not visible from inside the car. Unusually the bottom part of the window, where it extends below the dashboard, is painted black. And in this area a tiny "window" is left clear, with VIN behind that.

  8. Chris Miller

    No excuse for sloppy security, but

    I'm not sure it would be easy to 'drain the battery'. MY PHEV (purchased following a favourable review by ElReg) comes with a similar app. I can check the battery state, and turn on the heating (handy these cold mornings) or headlights (handy on dark mornings), but that's about it. The heating is the most energy intensive, but only drops the charge state by a few percent.

    It only works from devices that have been physically paired with car's WiFi, and to do this you need the keys. To set it up is quite complicated and most of the complaints on the users' forums are from owners who can't get it to work.

    If I can summon the enthusiasm, I'll run the sniffer on my laptop and see if there's anything interesting to see.

    As an aside, the phone app received an OTA update a few days after I'd got my new shiny car. After Android had updated it, I got a message saying "You now need to update the software in the vehicle". Somewhat sphincter-tightening - the remote possibility of a failed update bricking your £400 phone is one thing, bricking a £40k car is another! Fortunately there were no problems and I've not seen any major ones reported on the aforementioned forums. There are, however, numerous complaints about electric cars being 'bricked' after (ab)using the fast chargers that are now ubiquitous at motorway services, though.

    1. Chris Miller

      Re: No excuse for sloppy security, but

      PS The phone reports WPA2 PSK. I've noticed Marshmallow is quite picky about even allowing you to connect to WiFi networks whose security it doesn't approve of!

    2. Keith Oborn

      Re: No excuse for sloppy security, but

      Interesting: the phone app (which I haven't used for a couple of weeks) is showing "service cannot be provided". The website does still work, but is a flaky as ever.

      In the case of the phone app, I am not sure there is much risk. in reality. It can control the climate control, but *only* when the car is plugged in, so no risk of draining the battery. It can also control the battery charge timer, so the worst impact would be to stop a part-charged car from completing the charge.

      I don't know if the phone app grabs the telematics info (journey details, etc) that the car sends to Nissan, but it certainly doesn't display any such information.

      The website does do all these things of course, but that doesn't require any raw data to leave Nissan's systems.

      So I think my concern would not be with the phone app itself (although it should be fixed, for sure) but with the security between car and Nissan's servers. That's the link over which my travel history is passed.

  9. Mattjimf

    There is a thread documenting the whole thing here - https://speakev.com/threads/nissan-connect-app-security-concerns.15143/

    @Chris Millar, I'm guessing you have an Outlander. As your battery is only good for 25 miles and your lugging a full engine around for when it invariably goes flat, if this was to affect your vehicle it would make little or no difference, it's the electric only vehicles that are most at risk.

    1. TeeCee Gold badge

      The Outlander does waaaay more than 25 miles on a charge. Certainly enough for a decent daily commute with overnight charging.

      And that's what it's for. It allows you to do electric only most of the time, while still being able to function as a practical car. Infinitely more sensible, economical, environmentally friendly and practical than having two cars.....

    2. Chris Miller

      @Mattjimf - good guess! Yes, this 'hack' is much more of a problem for pure EVs (as are many other things - range anxiety, for example). Buying one of these vehicles requires careful consideration of your motoring use and how likely it is to change. 20 miles is enough for me to do 90% of my 'normal' motoring on battery alone, and the occasional long trip can still be relatively efficient in hybrid mode. But if you're pulling a 50 mile commute to a spot where there's no recharging facilities, this may not be the car for you (unfortunately, the government's financial incentives apply just the same).

      @Teecee Mitsi claim 30 miles electric range, but 25 miles is actually a bit optimistic here in the Chilterns, perhaps if I lived in Holland I might get further!

  10. TeeCee Gold badge
    Facepalm

    Ah. Nissan.

    Funny how anything electrical or electronic to do with Nissan has gone from "perfect" to "utter bag of shite" overnight since they were taken over bymerged with Renault.

    I guess that French car electrical crapness must be contagious.

    1. werdsmith Silver badge

      Re: Ah. Nissan.

      They are not merged with Renault, I believe that there is a separate development and engineering company that they both hold shares in.

    2. Anonymous Coward
      Anonymous Coward

      Re: Ah. Nissan.

      > Renault-Nissan alliance

      interesting, thanks, I wasn't aware of that.

      https://en.wikipedia.org/wiki/Renault%E2%80%93Nissan_Alliance

      says it's an alliance via a cross-shareholding agreement. Each company acts in the financial interest of the other—while maintaining individual brand identities and independent corporate cultures.

      1. Alan Brown Silver badge

        Re: Ah. Nissan.

        Be that as it may, a lot of UK built nissans havs "renault" written all over the internal wiring.

  11. Anonymous Coward
    Anonymous Coward

    Anybody got a database of Leaf VINs?

    I fancy turning on a lot of air-cons to their coldest setting all at once...

  12. Pauluss
    Facepalm

    We have a Nissan Leaf, I must admit I noticed that the security seemed a bit lax.

    It's a great car and pretty quick nippy car, but the lack of App security is unacceptable.

    The app itself used to fail for days - often when it was very cold or hot, presumably because everyone logs in to preheat their car using their heated wheel, seats and main climate on these frosty mornings.

    There was a major app update recently, with a new UX and GUI, So I am a little surprised it didn't get sorted out then!

    That said,

    I still prefer driving the Nissan to driving my E Class Coupe on anything but long motorway miles, but the other half has it for her daily driver! :D

    The climate will come on to a preset temp - you cannot change the temp in the app. Would take quite some time to drain the battery as the climate on the Gen 2 Leaf as it uses a heat pump and it very efficient, unless the outside air temp drops below 2-4c - In which case it uses a heating element.

    1. Timmy B

      Mirrors pretty much what I was about to say about our Leaf. They are great to drive, aren't they?

  13. Someone_Somewhere

    Re: I fancy turning on a lot of air-cons to their coldest setting all at once..

    Or turning them up so that people's pets/children die of heatstroke when their parents leave them with the windows up and the A/C on?

    1. Old Handle

      Insecure app could MURDER your children!

      That's horrible, but the Daily Mail thanks you for the headline inspiration.

      1. Someone_Somewhere
        Happy

        Re: Insecure app could MURDER your children!

        Thanks ;)

        A moment of inspiration - I don't have many but, when I do, I do :)

  14. nijam Silver badge

    A friend of mine told Nissan about it a couple of years back, but they were adamant - repeatedly so, in fact - that the absence of security was not a problem. So, no surprise that the recent update to the app did not involve improving its security.

    1. Alan Brown Silver badge

      " but they were adamant - repeatedly so, in fact - that the absence of security was not a problem."

      Your friend wasn't the only one. I made the same point after taking one for a couple of days testing and got the same response.

  15. Aaron 10

    Dear Reg,

    Please do some investigative work on electric cars before posting about them. You cannot "start an engine" on an electric car. There is no engine! The electric motor doesn't need to "idle" like a regular car, so a non-moving electric car takes little power at all.

    Even if the API would support starting the electric car (which it doesn't), the car would sit there with its dash lights on and nothing else -- pulling less than 400W of power. It would take days to run the car's battery out.

    Indeed the API does allow for turning on and off the aircon as well as starting (but NOT stopping) battery charging. It does NOT allow for control of steering, brakes, accelerator, or any mission-critical functionality.

    That being said, Nissan should have known better. Using the API even returns the owner's email address! Marketers can now abuse this API to get LEAF owner's email addresses. Not cool.

    Also, this does not affect the "S" model ("Visia" in the UK) since it does not have cellular connectivity.

    1. Down not across

      Re: Dear Reg,

      Even if the API would support starting the electric car (which it doesn't), the car would sit there with its dash lights on and nothing else -- pulling less than 400W of power. It would take days to run the car's battery out.

      400W dash lights. Wow. That's nearly 4 times the headlights on most normal cars...

      1. annodomini2

        Re: Dear Reg,

        Most dashboards are a computer + infotainment + other vehicle ECU's.

        Effectively ignition on, but not driving.

    2. Adam 1

      Re: Dear Reg,

      It returns the last time the car was used and the number of km driven.

      Imagine someone with a creepy ex who knows the VIN and can now take a pretty good guess at whose house they are now staying at. Or when it says it is charging and they know that pretty much guarantees that the car is at their targets house.

      Note that the APIs tested were read only, or at worst activated the climate control, but that doesn't mean there aren't other remote unlock and find my car calls that haven't made their way into the app as yet but may be supported on the server. Setting up a WiFi pineapple next to free fast chargers to get the VIN and then unlock it.

      It's bad enough that they should have worked alongside the researchers to minimise the attack surface and buy time to fix it properly.

  16. Keith Oborn

    This is hilarious

    I just got an email from NIssan about the temporary withdrawal of Connect.

    In French.

    I got my Leaf from our local dealer. In Basingstoke--.

    What was that comment about Renault?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like