In a world that’s soon to be dominated by smart cars capable of making complex decisions, or even driving themselves, security vulnerabilities that allow hackers access to these systems are sort of a worst-case scenario.
Today, security researcher Troy Hunt released his findings that show just how vulnerable to these attacks we are.
Hunt was able to access the world’s best-selling electric car, the Nissan Leaf, owned by security researcher Scott Helme while the former was in Australia and the latter in the UK.
To access the vehicle, Hunt simply needed to use Nissan’s Leaf mobile app, which owners can use to heat up or cool their cars before getting in them as well as checking battery status and other related functions. Aside from the app, all that was required was the vehicle identification number (VIN) and a little bit of hacking.
The hacking involved Hunt using a method detailed by an anonymous researcher who found that using his computer as a proxy as the app attempted to communicate with the internet allowed it to view server requests by the app.
Those requests looked like this:
As you can see, the numbers right after the VIN in the code coincide with the unique identifier for each vehicle. VIN information is available on the windshield of any car, by law, and would give any passerby all the info they’d need to access your vehicle.
So far, the attack only allows the user to control the heating and cooling of the vehicle, which isn’t all that worrisome.
What is worrisome, however, is the access to data a potential hacker has once they’re connected to your Nissan Leaf. Once connected, hackers can view information about your recent trips, power usage information, battery charge state and other info that could be deemed sensitive for tracking movement and identifying common travel patterns.
The most alarming part might be Nissan’s complete lack of an attempt to verify the identity on either end of the connection. As Hunt describes:
But what got Jan’s attention is not that he could get the vehicle’s present status, but rather that the request his phone had issued didn’t appear to contain any identity data about his authenticated session.
In other words, he was accessing the API anonymously. It’s a GET request so there was nothing passed in the body nor was there anything like a bearer token in the request header. In fact, the only thing identifying his vehicle was the VIN which I’ve partially obfuscated in the URL above.
Hunt also proved that he could use a tool to generate VINs from Leaf owners he wasn’t in the presence of (only the last 5 or 6 digits differ in each car), meaning he could access vehicles he’s never seen from anywhere on the planet using nothing but an Internet connection.