Vulnerable API allows remote control of Nissan Leaf functions
It is possible to remotely control the climate control of the Nissan Leaf without authorization and to intercept information about the car. That’s what security researcher Troy Hunt discovered. Together with a partner, he demonstrates the findings.
Hunt discovered the leak during a workshop he gave in Norway. During the workshop, he discusses sixteen different ways to break into systems that developers should take into account. One of the things he examines is investigating, intercepting and controlling API requests between applications such as on a smartphone and services that run on another server and read or control something. That’s where the workshop started to get interesting, he writes on his blog.
One of the workshop attendees discovered that he could operate his Nissan Leaf without his Leaf iPhone app. He could read data and operate his car’s climate control without the app. After this discovery, Hunt learned that security expert friend Scott Helme also happened to be in possession of a Leaf, and they videotaped the problem.
They discovered that it was possible to break into other people’s cars by guessing or knowing the last five digits of the Vehicle Identification Number, or VIN. Hunt is in Australia and Helme is in the north of England. By going through the complete process that Hunt discovered during his workshop with the participant, they were able to operate Helme’s car.
By proxying the iPhone’s data through a program on a PC, it is possible to find out how a mobile app communicates with the online service. After starting the NissanConnect EV application, you can see where the app connects to. A json response then shows certain information. In this case the battery status and whether the car is connected to the charging network. What the student noticed is that no identity data was sent to verify that it concerns the owner of the car. A VIN is required, but that number is not difficult to find or guess.
Although reading a battery status will not be seen as leaking privacy-sensitive information, it also turned out to be possible to retrieve the userId and the resultKey. With this information it is possible to operate the Leaf’s climate control. The researchers were able to perform everything without there ever being an authentication moment, so it is possible to do everything completely anonymously.
The bug has already been discovered by several people and published on the internet recently, so Hunt decided that he could also make his story public. There are several GitHub repositories that cover the api and there is a forum post on how to integrate the data into the smart home system Domoticz. Although Nissan has not yet resolved the bug and has asked to hold off on publishing, which for obvious reasons no longer made sense, Nissan was very prompt and good at communicating the issue, Hunt wrote. The service has since been taken offline in several countries. The functions that no longer work via a mobile phone will still work in the car itself.
The problems that the bug can cause are not very big compared to bugs that have been found in other cars in recent years, such as being able to brake cars remotely. Hunt himself points to the potential dangers that could arise if there were a similar leak in Volvo’s released plan to open a car with just an app.