fahed2000
Posts: 3
Joined: Sun Feb 21, 2016 11:46 am
Delivery Date: 03 Mar 2015

Nissan LEAF / NissanConnect EV severe security vulnerability

Wed Feb 24, 2016 7:19 am

Anyone seen this article on BBC News
http://www.bbc.co.uk/news/technology-35642749
Apparently some Nissan Leaf vehicle's can be hacked via car wings as shown on http://www.troyhunt.com/2016/02/control ... n.html?m=1

MODERATORS NOTE:
Multiple threads merged. Will be updating this post with instructions on how to secure yourself until Nissan fixes this severe security vulnerability.

Update 2/24/16 19:00 PDT: It's been reported that Nissan has disabled the API blocking the issue for now.

Summary:

There is a severe vulnerability in NissanConnect EV which allows one to access your account using only your VIN. Once in, this user can issue any command to your car that you would be able to, as well as view your historical data. If you have not registered or set up your vehicle, you are not vulnerable.

How to secure yourself and your vehicle:

The only known way to secure access to your vehicle is to disable NissanConnect EV until Nissan fixes this issue. It appears that the only way to do this is through the Nissan website. If you have made your VIN public, such as through your profile on this site, recommend you remove it.

US LEAF Owners:
Go to the US site and log in: https://www.nissanusa.com/nowners/
Select "Manage Vehicle" and click "Decline" for the NissanConnect EV Agreement.
Alternatively, you can "Delete Vehicle", which will delete all your driving history!

UK LEAF Owners:
Go to the UK site and log in: https://www.nissan.co.uk/GB/en/YouPlus/ ... _leaf.html
Select "Configuration" and Click the "Remove CarWings".

Canadian, French, Norwegian owners are also confirmed as vulnerable. One should assume that all LEAF telematics systems are vulnerable.
Last edited by DaveEV on Wed Feb 24, 2016 8:14 pm, edited 4 times in total.

DoobeeDude
Posts: 38
Joined: Sat Aug 08, 2015 3:10 pm
Delivery Date: 08 Aug 2015

Carwings Security Flaws documented in detail

Wed Feb 24, 2016 8:14 am

Post says it all...

Once someone has your VIN, they basically have full access to all Carwings features and data.

http://www.troyhunt.com/2016/02/control ... issan.html
2015 Silver SL
delivered Aug 2015

arnis
Posts: 962
Joined: Sat Jan 23, 2016 3:21 pm
Delivery Date: 23 Jul 2014
Leaf Number: 015896
Location: Estonia, Europe

Re: Nissan Leaf hack vulnerability disclosed

Wed Feb 24, 2016 10:12 am

Don't worry! Nissan will fix it within 5 years. This is how long it took to make Carwings into a thing that works (NissanConnect EV).
Short range EVs <30kWh -- Medium range: 30-60kWh -- Long range: >60kWh
Charging: Trickle <3kW -- Normal 3-22kW -- Fast 50-100kW -- Supercharging >100kW

Valdemar
Posts: 2625
Joined: Tue May 10, 2011 10:32 pm
Delivery Date: 09 Sep 2011
Location: Oak Park, CA

Re: Nissan Leaf hack vulnerability disclosed

Wed Feb 24, 2016 10:36 am

arnis wrote:Don't worry! Nissan will fix it within 5 years. This is how long it took to make Carwings into a thing that works (NissanConnect EV).
The fix is already coming later this year, at least in the US: http://mynissanleaf.com/viewtopic.php?f=31&t=21522

:D
'11 SL, totaled
-1CB@33k/21mo, -2CB@53k/33mo, -3CB@68k/41mo, -4CB(41.5AHr)@79k/49mo, -5CB(38.85AHr)@87.5k/54mo
-0CB(66.14AHr)@87.5k/54mo (BBB), -1CB(53.92Ahr)@140k/29mo,
51.1AHr, SOH 80%, 150k miles

9kW Solar

Valdemar
Posts: 2625
Joined: Tue May 10, 2011 10:32 pm
Delivery Date: 09 Sep 2011
Location: Oak Park, CA

Re: Carwings Security Flaws documented in detail

Wed Feb 24, 2016 10:37 am

Fascinating. Even basic HTTP authentication would be better than this.
'11 SL, totaled
-1CB@33k/21mo, -2CB@53k/33mo, -3CB@68k/41mo, -4CB(41.5AHr)@79k/49mo, -5CB(38.85AHr)@87.5k/54mo
-0CB(66.14AHr)@87.5k/54mo (BBB), -1CB(53.92Ahr)@140k/29mo,
51.1AHr, SOH 80%, 150k miles

9kW Solar

taloyd
Posts: 52
Joined: Mon Oct 07, 2013 11:08 am
Delivery Date: 04 Dec 2013
Leaf Number: 422799
Location: Los Angeles, CA, USA
Contact: Website

Troy Hunt article on weak networking security of Nissan Leaf

Wed Feb 24, 2016 11:38 am

Hello,

This was just posted - another case of car manufacturers/non-high-tech industry not following best practices WRT security:

http://www.troyhunt.com/2016/02/control ... n.html?m=1

Teaser:
We elected for me to sit outside in a sunny environment whilst Scott was shivering in the cold to demonstrate just how remote you can be and still control feature of someone else’s car, literally from the other end of the earth.
Hope Nissan figure this out, although it's nothing like the remote-control-brakes-off story about Chrysler:
http://www.wired.com/2015/07/jeep-hack- ... s-bug-fix/

Cheers from 2016,
Tal
Last edited by taloyd on Wed Feb 24, 2016 11:43 am, edited 1 time in total.
2017 Bolt LT (w/ DCQC)
Purchased 2017/07
MON DIEU - what a treat!

2013 Leaf SV
Purchased (not leased!) 2013/09
59,860 - lost first bar. :-(

taloyd
Posts: 52
Joined: Mon Oct 07, 2013 11:08 am
Delivery Date: 04 Dec 2013
Leaf Number: 422799
Location: Los Angeles, CA, USA
Contact: Website

Re: Troy Hunt article on weak networking security of Nissan Leaf

Wed Feb 24, 2016 11:43 am

...and in case there are any anti-free-speech chest-beating types, here's the authors description of his good-faith contacting Nissan before publicly disclosing this very obvious, gaping security hole:
Disclosure timeline
I made multiple attempts over more than a month to get Nissan to resolve this and it was only after the Canadian email and French forum posts came to light that I eventually advised them I’d be publishing this post. Here’s the timeline (dates are Australian Eastern Standard time):

23 Jan: Full details of the findings sent and acknowledged by Nissan Information Security Threat Intelligence in the U.S.A.
30 Jan: Phone call with Nissan to fully explain how the risk was discovered and the potential ramifications followed up by an email with further details
12 Feb: Sent an email to ask about progress and offer further support to which I was advised “We're making progress toward a solution”
20 Feb: Sent details as provided by the Canadian owner (including a link to the discussion of the risk in the public forum) and advised I’d be publishing this blog post “later next week”
24 Feb: This blog published, 4 weeks and 4 days after first disclosure
All in all, I sent ten emails (there was some to-and-fro) and had one phone call. This morning I did hear back with a request to wait “a few weeks” before publishing, but given the extensive online discussions in public forums and the more than one-month lead time there’d already been, I advised I’d be publishing later that night and have not heard back since. I also invited Nissan to make any comments they’d like to include in this post when I contacted them on 20 Feb or provide any feedback on why they might not consider this a risk. However, there was nothing to that effect when I heard back from them earlier today, but I’ll gladly add an update later on if they’d like to contribute.

I do want to make it clear though that especially in the earlier discussions, Nissan handled this really well. It was easy to get in touch with the right people quickly and they made the time to talk and understand the issue. They were receptive and whilst I obviously would have liked to see this rectified quickly, compared to most ethical disclosure experiences security researches have, Nissan was exemplary.
2017 Bolt LT (w/ DCQC)
Purchased 2017/07
MON DIEU - what a treat!

2013 Leaf SV
Purchased (not leased!) 2013/09
59,860 - lost first bar. :-(

dhanson865
Moderator
Posts: 1496
Joined: Wed May 25, 2011 7:12 am
Leaf Number: 16156
Location: Tennessee

Re: Carwings Security Flaws documented in detail

Wed Feb 24, 2016 11:50 am

Has anyone tried this on a US VIN? The article mentions Canada, France, Norway, but no US.
Blue 2012 Leaf 195/65/15 tires, 15" Rims
Silver 2012 Leaf 16" stock wheels
http://www.mynissanleaf.com/wiki/index. ... acity_Loss
(efficiency 3.x KW vs 6.x KW)
please join Truedelta.com and input your repairs.

TwiglettMike
Posts: 3
Joined: Sun Jul 13, 2014 3:22 pm
Delivery Date: 23 Apr 2014
Leaf Number: 416949

Re: Nissan Leaf hack vulnerability disclosed

Wed Feb 24, 2016 12:25 pm

reading through this, the only way to really stop this is to terminate your EVConnect agreement and decline the terms of service.
I contacted Nissan support and they can do it for you or you can login on the webpage to do it yourself.
The only real information I got from Nissan was a canned statement about how much they care about security etc etc.
Obviously not enough to actually code the service to be secure, but they really do care, honest.

The sad part is that there probably is security between the car and the nissan datacenter, but zero security on the customer facing side.
The only reason they use the vin is so they know its the right car, there are no other checks at all - pathetic.
2013 SL, 13K miles, 12 bars.
always L2 charge to 100% -- never use eco mode and drive it like I stole it :)

w6vms
Posts: 67
Joined: Wed Mar 20, 2013 7:18 pm
Delivery Date: 20 Mar 2013
Location: Raleigh, NC

Leaf Hacking

Wed Feb 24, 2016 12:25 pm


Return to “News & Main LEAF Discussion”