
Controlling vehicle features of Nissan LEAFs remotely via vulnerable APIs - marklubi
http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
======
mikestew
Anyone who has been cursed with using anything related to CarWings might not
be surprised by this. I swear their backend is running on some intern's
personal laptop. That feature where you can preheat your car from your phone?
Be sure to allow a few minutes to do that. Start the app, wait 30 seconds for
it to log in. Go to "Climate". Oh, shoot, it thinks the heat's still on (the
app does a pathetic job of managing state). Click "Turn Off". Wait another 30
seconds (or more) while it round-trips to the car. Click "Turn On". Wait
another 30 seconds. Go to car, expecting it to be warm. Open car door to
discover that it's stone cold.

That's just one example. Nissan said they'd charge for CarWings after three
years. Going on almost five years later, we've yet to receive a bill. Nissan
knows if they tried to charge for CarWings, they'd have three paying customers
because no one else would pay for that crap.

With all its warts, I would have said nothing much would surprise me were a
security hole were found. But this is just astounding. The prior API at least
required creds. So they took an API that had some modicum of security,
discarded that and just use a string that's visible from the outside of every
vehicle? Picture me with my lower jaw hanging between my knee caps.

~~~
dangrossman
> Nissan knows if they tried to charge for CarWings, they'd have three paying
> customers because no one else would pay for that crap.

That and the service is going to break this year anyway.

AT&T is sunsetting its 2G network on December 31, 2016. It's already
dismantled it (to reallocate the spectrum to 3G/4G/LTE) in some regions.

Most Leafs on the road only have 2G AT&T modems. I'm pretty sure Nissan was
still selling them new in 2015 with 2G modems, despite knowing AT&T's plans.
There won't be any CarWings service, or charging location updates, or anything
else that needs internet on those cars once the 2G network goes away.

~~~
toomuchtodo
Thats not going to help leaf residual values coming off lease at all.

~~~
pjc50
>3 year old leaves are already surprisingly cheap, I was considering getting
one.

~~~
toomuchtodo
Might want to wait until March 31st to see what the Tesla Model 3 looks like.

~~~
c22
Why would a 35k+ car that's not going into production until 2017 be a suitable
alternative for someone who's looking at 10-15k 3 year old Leafs today?

------
gburt
No authentication. The only sort of authentication token is linearly
predictable and printed in plain text on the outside of the car.

No rate limiting. They successfully used the linear nature to collect a list
of valid VINs and validate them.

No apparent intrusion detection.

Bad response to security disclosure. They didn't fix the problem when it was
reported, they still haven't addressed the researcher properly.

I'm not sure these are the right people to write life critical software (which
admittedly, this vuln. does not appear to relate to life critical systems;
just privacy and comfort).

~~~
c-slice
And add on personal info release - the API will provide a username if queried
with a VIN.

~~~
seanp2k2
Car companies are terrible at making software. I'm not surprised that they
want to lock down the ECU code, since it's probably awful and full of subtle
bugs as well, and they don't want to get hit with tons of lawsuits when people
find a bug in the firmware.

Really wish they'd just use CarPlay / Android and go back to analog knobs to
control HVAC stuff. Opening a modal dialog to adjust fan speed (in a 2015 MDX
I've been in) is terrible UX and very distracting to do while driving. The 2nd
gen Prius is no better, and the control panel UI in it looks like something
from Windows 3.1.

------
rossng
It's genuinely scary to see how trivial these attacks often are. Who on earth
wrote these API endpoints and thought they were acceptably secure?

If the car companies can't write software that would withstand hacking skills
roughly equivalent to a curious teenager, what hope do they have against
criminal organisations or nation states? I don't really want to think about
it...

~~~
smarx007
Bad stuff happens - I think it's a pretty safe assumption. What is worse is
that there was some PM out there who didn't want to immediately disable the
whole service until the issue was fixed. So I think this disclosure is a fair
thing to do - when they choose between PR image or security, they must
understand that both can get dragged through the mud.

~~~
mavhc
Who will you trust to make your next car, a car company or a software company
with a record of good security?

~~~
dyarosla
Ideally a car company with a record of good manufacturing partnered with a
software company with a record for good security. But I don't see that kind of
partnership happening with the likely players we're talking about in the
space.

------
danso
What's the developer ecosystem around car software like these days? I mean, in
an industry in which mechanical/aerodynamic engineering is so paramount, what
is the rigor of the mindset and culture among the groups that build the
network and user-interface software? I'd have to guess that it'd be an
emerging field, with the IoT being relatively new, even if it were heavily
populated by programmers who worked on the more traditional aspects of vehicle
operation (engines, etc)...and with the overall high demand for skilled
developers in all the other parts of software industry.

I'm being biased here because I recently bought a vehicle which charges some
non-significant amount of money ($50, or maybe $99?) to just buy an iPhone app
that connects to the vehicle's dashboard, then an HDMI cable if I want to
connect the phone's video to the screen to watch my phone's movies, and then a
subscription fee afterwards to do GPS and other on-demand services. Not saying
that that's a shortsighted business model -- maybe car customers are paying
for it in the droves -- just that it's one that naturally attracts fewer
scrutinizing eyes, which can non-directly impact the attitudes and culture of
the development team. Also, I guess I just don't see many auto software
developers talking/showing their trade, as opposed to dev teams from other
traditional behemoths -- such as Best Buy and Walmart -- who despite not
working for their tech-focused disruptive competitors, still produce and share
software that is public-facing.

~~~
pjc50
So far as I can tell, it combines the rigor of the Toyota unintended
acceleration code with a zillion global variables with the Volkswagen approach
to regulatory compliance with the IoT approach to security and vendor lockin.
By the sounds of it they're discovering the mobile industry's approach to
extra charges.

~~~
seanp2k2
Sounds like a "greatest hits of terrible development practices". Hey, at least
everyone won't have to bring their vehicle in to a stealership to get it
updates if they ever release a fix. Wait.

------
willvarfar
How does the Leaf connect to the servers to receive commands? How secure is
this link? It would be easy to speculate that after breaking into the link
between Nissan servers and the car you'd be able to do rather more mischief
and likely exploit vulnerabilities in the software itself to do things not
exposed in the API. Its easy to imagine that there isn't even a firewall
between the remotely-accessible system and the engine control system. Its also
easy to imagine that the data being uploaded to Nissan is rather more privacy-
invading than the travel log exposed by the public API. We want someone to
hack into the Leaf and expose it wide open.

~~~
gravypod
I've been wondering this too. Tesla does it as well. It makes me feel "bad" on
the inside from a security perspective.

Can I turn this feature off? How does it communicate?

~~~
masklinn
> Can I turn this feature off?

The article says that you can, by disabling CarWings/NissanConnect. Which you
should probably do if you're a connected Leaf owner, as it lets anyone control
AC/heating _and_ gives them historic driving information (date, distance and
"driving efficiency").

> How does it communicate?

Lost the source (maybe one of the forums linked from
[http://www.troyhunt.com/2016/02/controlling-vehicle-
features...](http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-
nissan.html?)) but I read the CarWings service sends an SMS to the car, which
contacts the webservice to return its information.

~~~
willvarfar
Turning off the web API stops people communicating with Nissan's webservice;
it doesn't stop the car communicating with Nissan's webservice.

~~~
tigeba
The car actually randomly asks you permission to do this. You will start the
car up and there will be a dialog asking you to continue to allow the computer
to communicate with Nissan. If I recall, you also need to enter in some
credentials into the car's computer for it to communicate with Nissan.

~~~
mikestew
_The car actually randomly asks you permission to do this._

No, it asks you every...friggin'...time you start the car, with no way to say
"you have my permission from now on". I _wish_ it were random, at least that
way there be times I don't have to punch the "OK" button.

~~~
dangrossman
Only the 2011 and 2012 model years worked like that. Newer Leafs only require
you to acknowledge the agreement every few months.

~~~
reacweb
Is there an upgrade ? This is an unbearable nag screen.

~~~
dangrossman
No. And even better, when CarWings stops working at the end of the year
because there's no AT&T 2G network for it to connect to, you'll still be
pressing "OK" twice a day for no reason at all.

------
Someone1234
There's no actual way of fixing this, if it ultimately relies on VINs. You can
however mitigate it.

Let's say you required an account and utilised authentication tokens, sure,
that will stop unauthenticated requests. But what is stopping someone else
from stealing your VIN and registering an account themselves? If you only
allow a single account registration per VIN then what happens if the vehicle
changes ownership?

VINs aren't a "shared secret." They're a public fact. Instead Nissan should be
utilising a secret number stored in the vehicle entertainment unit and user
accessible, and they should add a button to change it when the vehicle changes
ownership. Heck they could even do a QR code if they really wanted
registration to be as painless as possible.

~~~
marklubi
They definitely need to figure out something to mitigate the public
information bit. Aside from (presumably) a cost associated with it, there
isn't anything stopping someone from going to the DMV and getting the info
they need about a target.

Further, they also really need to change the HTTP method for the endpoints
that change state.

Nothing's stopping someone from putting up an image tag on a well-trafficked
website (or buying display ads on a network) with the src set as the endpoint
that turns on the AC. Turns into a real-world DoS when the battery is dead.

~~~
tigeba
There is no danger of this. The endpoints are so slow that the ad network /
site would drop it in minutes :)

~~~
marklubi
If the AC stays on for X minutes, you only need to occasionally redirect an
actual advertisement image to the endpoint to be effective.

~~~
neon_electro
It's 15 minutes[1] by default, I believe.

[1][http://www.mynissanleaf.com/viewtopic.php?p=363558&sid=1dec9...](http://www.mynissanleaf.com/viewtopic.php?p=363558&sid=1dec91ee04d72012cb9ea1c0fd078353#p363558)

------
drzaiusapelord
>Mr Hunt said the root of the problem was that the firm's NissanConnect app
needed only a car's vehicle identification number (Vin) to take control.

And only the last 5 digits vary on these VINs, so you can just run through
them all with a simple script in no time. They're using VIN as the unique key
on these things and with no other authentication? Wow. Just wow.

I really think we've reached that point with IoT that its time to start
proposing HIPAA-like regulation on this stuff. Its endless amateur hour out
there.

~~~
ssewell
This is unbelievable. Any decent API would have the client authenticate via
user credentials over an encrypted channel to obtain a temporary token (that's
only valid for a short time period), and all subsequent command requests would
require the token to successfully proceed.

------
vvanders
Oy wow, that's bad.

I've poked around in the Tesla API and it's much better, based on OAUTH and an
account registered to the specific owner.

~~~
codeulike
Yeah this is where Tesla's software/silicon valley background starts to look
like a real advantage

~~~
maxerickson
What would prevent the auto companies from hiring someone with a clearer idea
of how securely architect these things?

There are things like insider bias to overcome, but if the older auto
companies see Tesla eating their lunch over software, they will go ahead and
overcome it.

~~~
codeulike
I heard that the car dealers won't allow car manufacturers to apply over-the-
air updates (for example) because it breaks the agreement between dealers and
manufacturers (all maintenance and service must go through dealers). I'm not
sure if thats true but its pretty hilarious if it is.

~~~
marssaxman
That's... really reassuring, actually, because it means there will still be
OTA-free vehicles available on the used market for years to come.

------
jordache
So does every leaf come with life-time connection to the internet over
cellular?

Like my Kindle keyboard 3G?

~~~
gravypod
The keyboard comes with free 3G? I'd love to see if someone could pull that
out and do something cool with it.

~~~
mavhc
Someone published how to use it as a proxy, and then amazon restricted its
usage massively, obviously. Sigh.

Also each newer kindle had a greater price difference between wifi and 3g, and
more restrictions

~~~
gravypod
Do the really old ones still work with little restrictions?

~~~
mavhc
My Kindle 3 Keyboard 3G just has the 50MB/month limit, but everywhere has wifi
now anyway, so I rarely use it.

------
codeulike
Was just arranging to go and look at used Leafs tomorrow : (

If I don't register my car with the app, does that protect me?

edit: yep sounds like it does.

~~~
grahamel
Do they disconnect/unregister the previous owner when you buy the car second
hand?

~~~
mkohler
I bought a used Leaf two weeks ago from a dealer. From the dash computer, I
saw the previous owner's CarWings username and password, as well as his
address book, Bluetooth details, and lots of other history. I called Nissan to
register the car with the Owner's portal
([https://owners.nissanusa.com](https://owners.nissanusa.com)) and remember
being surprised that I didn't have to give Nissan anything that proved I owned
the car.

------
pacquiao882
This is borderline negligence for the lack of authentication and security of
the app. I suppose it may just be a matter of time until someone figures out
how to get access to other more critical systems in the vehicle, similar to
the Tesla vulnerability from last year. It took the Tesla security researchers
less than a year from when they found they could access the sound and climate
systems (over similar cellular networks) to being able to flash custom
firmware on-the-fly and take control of steering and acceleration / braking.

~~~
greglindahl
Are you confusing the relatively minor Tesla hack with the spectacularly
serious Jeep hack?

------
elahd
This may be a stretch, but this vulnerability could be used to kill a child or
pet left in a car on a mild to hot day. Turn on heat, crank to 100+.

------
castratikron
Does this mean that used Nissan Leaves will become even cheaper? They're
already about $9k used with not many miles (20k).

~~~
matthewmcg
We bought a loaded one (leather, premium stereo) used with 11k miles for not
much more than that. Best value around if the range works for your driving
requirements.

------
knughit
Clarification: this is a vulnerability in the Internet of Things component
attached to the car. The car itself fine, and the vulnerability is only in
devices with the silly and expensive IoT upgrade package.

~~~
masklinn
> The car itself fine

Well to an extent, if you've enabled the service any third party can remotely
enable, disable or reconfigure AC and heating (which is pretty problematic for
an EV), and the service also provides limited travel information (no GPS
location, but travel times and distances)

~~~
mikeash
Just a nitpick: being able to remotely turn on climate control in a non-EV
would be much worse, as it could be life threatening if the car is in a
garage. With an EV the worst case is you need to tow it to a charger.

------
thrillgore
It doesn't look like this affects any systems used to move the car. Still,
will I need to start asking if my next automobile is air-gapped at this rate?

~~~
dangrossman
Since A/C and heat run off the same battery pack that moves the car,
compromising remote climate control can be more than just a nuisance. Someone
can ensure that you wake up, or leave work, to find your battery has no charge
left and you can't get where you need to go. It's like being able to siphon
your neighbor's gas tank, while their car is parked in their garage, via an
app.

------
ryanlol
Reposting my comment from netsec.

I'm not sure why Troy can't just refer to others public research directly
instead of repackaging it and using "responsible disclosure" as a cover for
not sharing his (public) sources.

It seems sketchy at best, dishonest at worst.

>A GitHub repository documenting the API including the observation that “All
other operations take the DCMID and the VIN of your vehicle as parameters for
authorizing the requested operation” (although the DCMID value is not actually
required and is empty in many of the examples above)

[https://gist.github.com/joshperry/15eadc2a63b22632d6ae](https://gist.github.com/joshperry/15eadc2a63b22632d6ae)

>Another GitHub repository, this time a Python script to connect to and manage
vehicle features via the API (also includes region codes for managing vehicles
in other parts of the world)

[https://github.com/jdhorne/pycarwings2](https://github.com/jdhorne/pycarwings2)

>Yet another GitHub repository built to target an earlier generation of the
service and referenced as inspiration for the previously mentioned project

probably
[https://github.com/haykinson/pycarwings](https://github.com/haykinson/pycarwings)

>A blog post on reverse engineering the API which observes that “curiously, it
seems like you just need the constant DCMID and VIN fields” (again, the DCMID
parameter wasn’t actually used in our tests)

[http://virantha.com/2016/01/12/reverse-engineering-nissan-
co...](http://virantha.com/2016/01/12/reverse-engineering-nissan-connect-ev-
protocol/)

>A forum post on integrating the data into Domoticz (a home automation system)
which makes this observation: “No other authentication necessary!”

[http://www.domoticz.com/forum/posting.php?mode=quote&f=31&p=...](http://www.domoticz.com/forum/posting.php?mode=quote&f=31&p=74015&sid=da7f9475540847278474d2dd29baf039)

IMO, his behaviour is straight up despicable. This stuff isn't hard to find,
but he still refuses to give proper credit because of "responsible
disclosure". Yet, anyone interested in attacking the API can and will find
this stuff on google.

Also, another example of Troy BS:

[https://twitter.com/troyhunt/status/701733562253336576](https://twitter.com/troyhunt/status/701733562253336576)

Trying to publicly shame vkontakte for a nonexistent SQLi (this is a wiki page
that anyone can edit, here's a wikipedia example demonstrating the same
"vulnerability"
[https://en.wikipedia.org/w/index.php?title=%27&diff=70631701...](https://en.wikipedia.org/w/index.php?title=%27&diff=706317017&oldid=646978585))

