Nissan Leaf security flaw puts vehicle telematics apps under scrutiny
Drive away from the showroom in one of the more technology-forward new vehicles鈥攐r really now, nearly anything with a luxury badge鈥攁nd it鈥檚 likely you at least have the option to bring some key vehicle functions with you nearly everywhere you go: in the form of an app for your iOS or Android handset.
And while these apps may be a tremendous help when it comes to tasks like unlocking your car聽remotely, getting roadside assistance, remembering where you parked, checking in on your battery charge or fuel tank, or priming the climate control on a cold winter day, they can represent potential windows of opportunity if automakers aren鈥檛 extremely mindful of security.
That鈥檚 been underscored this week, as an Australian cybersecurity expert, Troy Hunt, showed that hackers聽鈥攕uch as its climate control and journey data.
Hunt did acknowledge that the issue itself wasn鈥檛 directly life-threatening. However the climate-control flaw could potentially be used to tamper with a known car鈥攔unning its battery down while parked, for instance鈥攖he trip-data flaw is the more serious one, from a privacy standpoint.
Nissan did the right thing
He recommended that the right thing for Nissan to do in this situation was to turn it off. And that鈥檚 exactly what the automaker did this past day鈥攅ffectively disabling the app鈥檚 functions by making the server unavailable.
Nissan clarified to us that Leaf models in the U.S. and abroad are affected by the issue, as are eNV200 vans sold overseas.
And the automaker made the following statement:
The NissanConnect EV app (formerly called CarWings and is used for the Nissan LEAF) is currently unavailable. This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.
No other critical driving elements of the Nissan LEAF are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone 鈥 all of which are still available to be used manually, as with any standard vehicle. We apologize for the disappointment caused to our Nissan LEAF customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.
We're looking forward to launching updated versions of our apps very soon.
That said, there鈥檚 clearly a lot that automakers are missing. Two researchers, Charlie Miller and Chris Valasak, in 2014 found that most vehicle聽control systems weren鈥檛 designed with security as a top priority and聽. Cellular-based apps were one of the potential ways in which an intruder might access vehicle functions鈥攁lthough most were still聽.
Still, a lack of security coordination between automakers, suppliers, and other third-party app developers leaves flaws and loopholes to be discovered. Those same two researchers last year explained in detail how a聽聽through a security flaw in the head unit, control the sound system, and track the vehicle聽through its navigation system.
That led to the聽, as well as an expanded recall later.
(More sophisticated) crimes of opportunity
These aren鈥檛 the sorts of crimes of opportunity you might find on the street, with keys left in a car,聽or a purse left inside an unlocked vehicle. Most of these flaws would take some effort and expertise to exploit鈥攜et they remain a serious vulnerability.
The CarWings hack in the Nissan app reportedly required only the vehicle鈥檚 VIN to authenticate the app; whereas most other apps require at least one other identifier, like an e-mail and personalized PIN or password.
Sam Abuelsamid, a senior research analyst at Navigant Research, called the approach, if true, "totally unacceptable."
鈥淢anufacturers need to develop much more robust methods of authenticating remote apps that include additional verification factors,鈥 said Abuelsamid, "before聽 something catastrophic happens.鈥
A better way than going public?
Abuelsamid points to responsible disclosure programs that Tesla聽and GM have announced, through which security researchers (and hackers) can provide vulnerabilities鈥攑erhaps with a reward, or recognition鈥攊nstead of first going public.
As such, automakers also need to understand that vehicle apps are different鈥攏ot just that they need to hold to higher standards for being secure and bug-free, but that they need to be supported far longer than typical smartphone apps.
Anything less would be undercutting the transformative potential of these technologies.
This article first appeared at .
