Real World Attack-Nissan Electrical Vehicle
(Leaf)
A
relatively newer technology gaining a much greater acceptance and
implementation has been the electric vehicle. Recently the attacker’s focus has
been on the Nissan Leaf. The attack on this model was relatively easily
accomplished through the web browser (Ashford, 2016; Walford, 2016). The
attacker only needed the VIN to access the system (Ashford, 2016). Anyone could
get this data by looking in the window or by manipulating the VIN algorithm,
namely the last four digits (Ashford, 2016; Zorz, 2016). With this
vulnerability being accessed from any IP, the car can be hacked from across the
planet (Abel, 2016; Torchinsky, 2016).
The
attack was announced previously in Canada and only discussed in online forums
(Ashford, 2016). Nissan was contacted regarding the vulnerability but did not
correct this in a timely manner. Finally this was reported widely and Nissan
removed the app (Lacey, 2016) and thus removed the vulnerability.
Although
this was a legitimate attack, this was between two parties that knew each
other. The target was a Nissan Leaf located in the UK owned by a friend while
the attacker was in Australia (Abel, 2016; Torchinksy, 2016, Walford, 2016b).
As the API was insecure and allowed anyone to log in (Mearian, 2016), the
effort was nominal (Abel, 2016; Walford, 2016). This insecure API was with the
Nissan Connect EV application fka CarWings (Mearian, 2016; Cluley, 2016; Weise,
2016; Hammerschmidt, 2016). This API was used to remotely control the vehicle’s
function (Mearian, 2016) including the heating and air conditioning systems
(Ashford, 2016) and could be used to drain the battery’s energy (Abel, 2016;
Torchinsky, 2016). This could also control the vehicle and modify the
historical driving data (Mearian, 2016). With this attack, only the functions
interacting with the mobile phone app were affected.
This
predominantly may be described as a generic attack as this could be used
against other platforms (Aron, 2016). This attack shows technology is moving
forward too quickly. The marketing and consumer needs are trumping the
security. The regard for security and safety appears to be lacking (Ashford,
2016). In this instance the API was engineered intentionally without security
(Abel, 2016). There was no authentication and attacker only needed the VIN
(Zorz, 2016; Cluley, 2016; Torchinsky, 2016; Hammerschmidt, 2016). At best
security was an afterthought (Kieler, 2016; Weise, 2016).
References
Abel,
R. (2016, April 4). ‘Father of car hacking’ awarded for researched. Retrieved
from http://www.scmagazineuk.com/father-of-car-hacking-awarded-for-research/article/487247/
Aron,
A.J. (2016, February 26). Security researcher found a loophole in nissan’s app
for leaf electric car. Retrieved from http://www.biztekmojo.com/002121/security-researcher-found-loophole-nissans-app-leaf-electric-car
Ashford,
W. (2016, February 25). Nissan breaks basic security rules with leaf electric
car app. Retrieved from http://www.computerweekly.com/news/4500274612/Nissan-breaks-basic-security-rules-with-leaf-electric-car-app
Cluley,
G. (2016, February 24). Lousy Nissan leaf security leaves cars open to online
exploitation. Retrieved from https://www.grahamcluley.com/2016/02/lousy-nissan-leaf-security-leaves-cars-open-online-exploitation/
Hammerschmidt,
C. (2016, February 26). Security expert discloses security flaw in nissan
vehicles. Retrieved from http://www.eetimes.com/document.asp?doc_id=1325091
Kieler,
A. (2016, February 25). Nissan disables electric car app over security flaw
that allows other users to control vehicle temps. Retrieved from http://consumerist.com/2016/02/25/nissan-disables-electric-car-app-over-security-flaw-that-allows-other-users-to-control-vehicle-temps/
Lacey,
S. (2016, February 29). Security flaws made Nissan leaf owners vulnerable to a
hack. Retrieved from http://www.greentechmedia.com/articles/read/security-flaws-made-nissan-leaf-owners-vulnerable-to-a-hack
Mearian,
L. (2016, March 23). Should you worry that your car will be hacked? Retrieved
from http://www.computerworld.com/article/3047193/security/should-you-be-worried-your-car-will-be-hacked.html
Walford,
L. (2016, February 24). Nissan leaf connected car features hacked on
web-climate, seats, battery & trip logs. Retrieved from http://www.autoconnectedcar.com/2016/02/nissan-leaf-connected-car-features-hacked-on-web-climate-seats-battery-trip-logs/
Walford,
L. (2016b, February 24). Leaf carwings Nissan connect EV remote control app
grounded. Retrieved from http://www.autoconnectedcar.com/2016/02/leaf-carwings-nissan-connect-ev-remote-controls-app-grounded/
Torchinsky,
J. (2016, February). How the Nissan leaf can be hacked via web browser from
anywhere in the world. Retrieved from http://jalopnik.com/how-the-nissan-leaf-can-be-hacked-via-web-browser-from-1761044716
Weise,
E. (2016, February 25). Nissan leaf app deactivated because it’s hackable.
Retrieved from http://usatoday.com/story/tech/news/2016/02/24/nissan-disables-app-hacked-electric-leaf-smart-phone-troy-hunt/80882756
Zorz,
Z. (2016, February 25). Insecure APIs allow anyone to mess with Nissan leaf
electric car. Retrieved from https://www.helpnetsecurity.com/2016/02/25/insecure-apis-allow-anyone-to-mess-with-nissan-leaf-electric-car/
No comments:
Post a Comment