Troy Hunt has uncovered a flaw within the Nissan Leaf’s companion app that allows hackers to see data about recent journeys and meddle with other aspects of the vehicle such as climate control and battery life. All they need is he vehicle identity number (VIN).
Mr. Hunt gave Nissan one month to fix the flaw prior to his unmasking of them in public. His stance on the issue is that Nissan should disable the app, which has no authentication on it. Speaking to IT Security Guru, Richard Kirk , Senior VP at AlienVault, had the following to say:
“According to the research done by Troy Hunt, this is one of the most basic security mistakes that could be made. There is no user authorisation to validate that the user of the app is the owner of the car. It is hard to understand how a major global car manufacturer like Nissan could have a) allowed an app to be designed in such a way and b) not performed some degree of app security assessment and penetration testing before placing the app in the app store.
“If the app or car system developer were to add new app features, such as remote door unlocking or remote engine disablement, and they assumed that the app itself was safe and secure, then there could be serious implications, including either the theft of a car or its contents, or even an accident. This might sound extreme however other car manufacturers already provide similar app features.”
This is why it’s so vulnerable – although not life threatening hacks, it’s essential that security on devices such as cars is kept at a high standard to prevent vulnerabilities such as the Jeep hack of 2015, where experts took control of the vehicle’s systems including brakes, stereo, steering and more – our video report of this is at the bottom of the page.
So are car companion apps really necessary? Or is the security risk just too great to ensure your safety on the roads? Well Mark James, a Security Specialist at ESET told us his take:
“The first thing I would ask myself is do I really need to connect my car to the internet either through website or smartphone app? The most likely answer is no, if you do then make sure you regularly check the information you are sending, most can be configured to turn features on and off and check after each update. We are no longer striding towards an internet connected world we are now running downhill towards anything and everything being connected without regard for security and safety. It may seem like an inconvenience to have authentication to be able to turn your heated seats or steering wheel on when it’s cold and icy in the morning but it’s better than having another portion of your private lives exposed for all to see and plunder.”
So for now, it seems a lot of cases of our ecurity being traded off for the sake of convenience are taking place. So what can apps like this have added to them that’d reduce the risk? Craig Young, Security Resercher at Tripwire recommends that “Nissan [ought to] consider implementing a 2-factor authentication for added protection. This could be as simple as having a more involved first time setup in which mobile devices are issued a device token which will subsequently be sent along with a username and password when connecting to the service.”
If we take this in the context of the countless recent stories on IoT devices being breached, it’s clear that there’s a shortfall in the industry inregard to the security of users. Rainer Kappenberger, Global Product Maganer at HPE Security – Data Security, told us that “companies developing IoT solutions focus on the feature and functionality set that they need to make the consumer experience easy and enjoyable. The developers have the best intentions and do a terrific job creating those applications. However they are typically not security experts and, therefore, implement protocols that either have limited or no security elements incorporated.”
Speaking on the climate within the industry as a whole, he continues “Making sure that security is a first class citizen during the design and development phase of those applications is more critical in the IoT space than ever before. While today’s security best practices focus on the security of the data, with IoT we now must consider the implications to physical security of infrastructure and of people, as we see in the connected car. What if other systems in the car could be breached?”
Kevin Epstein, VP of Proofpoint’s Threat Operations Centred, added that “As the number of such connected devices is expected to grow to more than four times the number of connected computers in the next few years, proof of an ‘internet of things’-based attack has significant security implications for device owners. Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur.”
Paul Fletcher, cyber security evangelist at managed cloud security provider, Alert Logic, concluded “The Nissan Leaf vulnerability is an issue that needs to be fixed by the manufacturer and while this vulnerability doesn’t have the same impact as the Jeep vulnerabilities documented last year, it’s an entry point into the controls of a vehicle and the potential for a more severe hack is now present. Nissan has an opportunity to embrace this discovery and enhance the security controls of it’s product. Nissan would be smart to launch a “bounty” program, if for no other reason but to market their willingness to put their security controls to the test and build the confidence of their customers and the industry. Only time will tell how serious Nissan takes this threat to it’s vehicles and customers.”