Leaf Hole Brings IoT Security Alert
Friday, February 26, 2016 @ 03:02 PM gHale
While it may not seem like a huge vulnerability, just the idea there is a bug in an app for Nissan Leaf electric cars that would allow hackers to take over their heating and air-conditioning systems, it should point out security needs to be thought of from the beginning in an Internet of Things (IoT) environment.
It all starts with an API used by Nissan to allow LEAF owners to manage their vehicles from a mobile phone has a vulnerability that could allow an attacker remotely control the features.
The best selling all-electric car, Nissan created Android and iOS applications designed to allow owners to manage their vehicle and control frequently used features remotely from their mobile phone.
Australian security expert Troy Hunt learned from a student that owned a Nissan LEAF the app for iOS used only the car’s Vehicle Identification Number (VIN) for authentication. Further analysis found the API leveraged by the mobile apps could end up accessed anonymously, without any kind of authentication token being used.
By knowing a Nissan LEAF’s VIN, they could send requests to enable and disable the climate control, obtain information on the vehicle’s status, and even collect driving history.
Experiments conducted by Hunt with the help of UK-based researcher and LEAF owner Scott Helme showed a remote attacker could easily turn on the AC of a parked car in an effort to drain its battery. Furthermore, the exposure of driving history information can pose a serious privacy risk.
The LEAF mobile apps don’t allow users to lock or unlock the vehicle, or start it remotely.
“While cloud connected car technology is in its infancy, it is likely that we will continue to hear about privacy and security related issues,” said Craig Young, cybersecurity researcher for Tripwire. “Generally speaking, any service should not be authenticated based on non-private data. For example, with a service like this, it would be better to have an authentication token provided to clients upon login and then used as an access control to prove that the client is authorized to perform actions on that VIN. I would recommend that Nissan consider implementing a 2-factor authentication for added protection.”
“The situation with the Nissan Leaf and the demonstration of how easy it is to decipher the communication between the car and the back end is yet another demonstration on how security frequently becomes an afterthought for companies not accustomed with the broader issues surrounding the Internet of Things, or IoT,” said Reiner Kappenberger, global product manager for HPE Security – Data Security. “We are lucky in this case that the attacks were only focused on functionality in the air-conditioning and heating system of the car and were done by a ‘white hat’ and not a criminally minded black hat hacker.”
At first glance it might not seem like such attacks are easy to carry out because the attacker needs to obtain the target’s VIN. However, it appears that the task might not be too difficult.
On all the Nissan LEAF vehicles seen by Hunt, the VIN is the same, except for the last five digits. This allows an attacker to send API requests using all possible combinations until they receive a response from a vehicle.
Hunt wasn’t the only one who discovered the vulnerability. The expert was contacted by someone from Canada who identified the same flaw. The issue had been discussed publicly on a French-language forum since December.
Hunt notified Nissan about the vulnerability on January 23, but the car company has not released a patch. Until a fix becomes available, users can protect themselves against potential attacks by logging in to their accounts from a web browser and disabling the service from the configuration menu.
Nissan disabled its NissanConnect EV app until they can fix the vulnerability.
“Companies developing IoT solutions focus on the feature and functionality set that they need to make the consumer experience easy and enjoyable. The developers have the best intentions and do a terrific job creating those applications. However, they are typically not security experts and, therefore, implement protocols that either have limited or no security elements incorporated,” Kappenberger said. “Making sure that security is a first class citizen during the design and development phase of those applications is more critical in the IoT space than ever before. While today’s security best practices focus on the security of the data, with IoT we now must consider the implications to physical security of infrastructure and of people, as we see in the connected car. What if other systems in the car could be breached?
“What manufacturers and developers of IoT devices need to consider is that it is not only the protocol they use but also the authentication and authorization to these services. Clearly the Nissan Leaf attack shows that neither of these were present but they could be fixed easily with a software update. It also demonstrates that the communication between the mobile device and the back end was not encrypted. Most people, when using a mobile app to do their finances, would not connect to their bank if they do not see a green bar showing proper SSL protection, yet have no visibility into the fact that the mobile application that they are using does not encrypt their data at all.”