Two security experts discovered a gaping security hole in an electric, connected car–the Nissan Leaf.
The Leaf has companion software—the NissanConnectEV app, which provides remote control and access to the car. The app allows a Leaf owner to see information such as the battery status of the vehicle and to control the car’s temperature and other settings.
Security researchers Troy Hunt and Scott Helme discovered that remotely accessing a Leaf car only requires knowing a Vehicle Identification Number (VIN). That’s it—no other security methods are in place.
Hunt wrote in a blog post about his findings:
Gaining access to vehicle controls in this fashion doesn’t get much easier—it’s profoundly trivial. As car manufacturers rush towards joining in on the “internet of things” craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place. Imagine getting it as wrong as Nissan has for something like Volvo’s “digital key” initiative where you unlock your car with your phone.
In fact, it was discovered that a hacker could control several Leaf vehicles at the same time. Hunt was at a software developer’s workshop when an attendee brought to his attention:
…that not only could he connect to his LEAF over the internet and control features independently of how Nissan had designed the app, he could control other people’s LEAFs.
The findings are particularly troubling since the connected car and autonomous (self-driving) vehicles are poised to dominate the auto industry. At this year’s CES and Detroit Auto Show, automakers unveiled an array of high-tech, Internet-connected auto prototypes. The industry has been forced to adopt new business models and products as technology companies such as Google and Apple continue to do research and development on making automated connected vehicles.
Additionally, ride-sharing services such as Uber and Lyft have also woken automakers out of an innovation slumber, as people are increasingly eschewing the idea of auto ownership.
The push for high-tech vehicles has been so great, that there are fears that there has been too little conversation about the security risks connected cars may pose. In a whitepaper, network testing solutions company Ixia, found that “hackers and ‘hacktivists’ can mount serious attacks on automobiles. The increasing exposure of automotive systems to Internet and external networks with the proliferation of vehicle-to-network (V2N) and vehicle-to-vehicle (V2V)connectivity renders the internal vehicle network vulnerable. Automotive Ethernet and TCP/IP are familiar to hackers and this may increase the potential for attacks.”
Nissan has since taken the remote connect service offline.