--Nissan Pulls Leaf App Over Security Concerns
0 views
Skip to first unread message
Jeffrey Peacock
Feb 26, 2016, 7:57:20 PM2/26/16
to socal-...@googlegroups.com
--Nissan Pulls Leaf App Over Security Concerns
(February 24 & 25, 2016)
Nissan has pulled a mobile app for its Leaf vehicles due to unsecure
APIs that could be exploited to take remote control of certain
functions. The app required no authentication. Attackers would need to
know only the vehicle identification number (VIN) assigned to the car
to access the vehicle's climate control and battery charge management
systems. Nissan plans to relaunch the app, NissanConnectEV, when it is
fixed.
http://www.computerworld.com/article/3037996/car-tech/nissan-apologizes-shutters-mobile-app-that-left-leaf-ev-hackable.html
http://arstechnica.com/cars/2016/02/nissans-connected-car-app-offline-after-shocking-vulnerability-revealed/
http://www.darkreading.com/iot/nissan-disables-leafs-remote-telematics-system-after-profoundly-trivial-hack/d/d-id/1324448?
http://www.csmonitor.com/Technology/2016/0225/How-was-Nissan-s-electric-car-vulnerable-to-hacking
http://www.scmagazine.com/unpatched-vulnerability-in-nissan-leaf-allows-remote-attacks/article/478986/
[Editor's Note (Ullrich): The vulnerability found in this case, which
essentially allowed an attacker to control the car knowing nothing but
the somewhat predictable VIN number, is very common in mobile APIs used
to control devices. In particular the connection from the device to the
API is often only using a serial number to authenticate, making it easy
to spoof data from devices.
(Pescatore): I've counted at least 5 different automotive industry
consortia/ISAC/govt agency groups "revving their engines" about
increasing the security level of connected vehicles, but so far none of
them seems to have shifted out of neutral - noise but no movement
forward. I hope the industry transfers much of the resources away from
"autonomous vehicles" to "secure vehicles that could someday be safe
enough to control themselves."]
(February 24 & 25, 2016)
Nissan has pulled a mobile app for its Leaf vehicles due to unsecure
APIs that could be exploited to take remote control of certain
functions. The app required no authentication. Attackers would need to
know only the vehicle identification number (VIN) assigned to the car
to access the vehicle's climate control and battery charge management
systems. Nissan plans to relaunch the app, NissanConnectEV, when it is
fixed.
http://www.computerworld.com/article/3037996/car-tech/nissan-apologizes-shutters-mobile-app-that-left-leaf-ev-hackable.html
http://arstechnica.com/cars/2016/02/nissans-connected-car-app-offline-after-shocking-vulnerability-revealed/
http://www.darkreading.com/iot/nissan-disables-leafs-remote-telematics-system-after-profoundly-trivial-hack/d/d-id/1324448?
http://www.csmonitor.com/Technology/2016/0225/How-was-Nissan-s-electric-car-vulnerable-to-hacking
http://www.scmagazine.com/unpatched-vulnerability-in-nissan-leaf-allows-remote-attacks/article/478986/
[Editor's Note (Ullrich): The vulnerability found in this case, which
essentially allowed an attacker to control the car knowing nothing but
the somewhat predictable VIN number, is very common in mobile APIs used
to control devices. In particular the connection from the device to the
API is often only using a serial number to authenticate, making it easy
to spoof data from devices.
(Pescatore): I've counted at least 5 different automotive industry
consortia/ISAC/govt agency groups "revving their engines" about
increasing the security level of connected vehicles, but so far none of
them seems to have shifted out of neutral - noise but no movement
forward. I hope the industry transfers much of the resources away from
"autonomous vehicles" to "secure vehicles that could someday be safe
enough to control themselves."]
Reply all
Reply to author
Forward
0 new messages