Posted by Robert Vamosi on February 24, 2016
A security researcher disclosed on Wednesday that certain Nissan Leaf models can allow their heating and air-conditioning systems to be hijacked because of a flaw in its companion app. Security researcher Troy Hunt found that the NissanConnect app needed only the vehicle identification number (VIN) for any Nissan Leaf car to take control. However, he found that since the commands could also be sent via a web browser, one didn’t need the app to take control of the cars.
“It’s not that they have done authorisation [on the app] badly, they just haven’t done it at all, which is bizarre,” Hunt told the BBC.
According to the BBC, Hunt reported the flaw to Nissan more than a month ago. The company said it could not yet comment. At present a remote attacker could only, at worst, run down people’s batteries by turning on their air conditioning. This was not true if the car was in motion. Nonetheless, a attacker could see the registered owner’s names, time, and recent destinations.
The VIN code is usually engraved somewhere on a car’s windscreen. The initial characters of a Vin refer to the brand, make of car, and country of manufacture/location of the firm’s headquarters, so even without walking through a parking lot one could find those numbers online. Only the final digits changed between different Nissan Leafs based in the same region. “There’s nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one,” Hunt told the BBC. “They would then get a response that would confirm which vehicles exist.”
Hunt suggested that owners who have enabled their Nissan CarWings account disable it until the problem is fixed.
Get the latest Software Integrity news, thought leadership, and more.