2016 Nissan Leaf
Drive away from the showroom in one of the more technology-forward new vehicles—or really now, nearly anything with a luxury badge—and it’s likely you at least have the option to bring some key vehicle functions with you nearly everywhere you go: in the form of an app for your iOS or Android handset.
And while these apps may be a tremendous help when it comes to tasks like unlocking your car remotely, getting roadside assistance, remembering where you parked, checking in on your battery charge or fuel tank, or priming the climate control on a cold winter day, they can represent potential windows of opportunity if automakers aren’t extremely mindful of security.
That’s been underscored this week, as an Australian cybersecurity expert, Troy Hunt, showed that hackers could hijack some of the telematics-based systems in the Nissan Leaf—such as its climate control and journey data.
Hunt did acknowledge that the issue itself wasn’t directly life-threatening. However the climate-control flaw could potentially be used to tamper with a known car—running its battery down while parked, for instance—the trip-data flaw is the more serious one, from a privacy standpoint.
Nissan did the right thing
He recommended that the right thing for Nissan to do in this situation was to turn it off. And that’s exactly what the automaker did this past day—effectively disabling the app’s functions by making the server unavailable.
2011 Nissan Leaf Carwings
Nissan clarified to us that Leaf models in the U.S. and abroad are affected by the issue, as are eNV200 vans sold overseas.
And the automaker made the following statement:
The NissanConnect EV app (formerly called CarWings and is used for the Nissan LEAF) is currently unavailable. This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.
No other critical driving elements of the Nissan LEAF are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle. We apologize for the disappointment caused to our Nissan LEAF customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.
We're looking forward to launching updated versions of our apps very soon.
That said, there’s clearly a lot that automakers are missing. Two researchers, Charlie Miller and Chris Valasak, in 2014 found that most vehicle control systems weren’t designed with security as a top priority and could be compromised remotely. Cellular-based apps were one of the potential ways in which an intruder might access vehicle functions—although most were still behind keys, checksums, and multi-level cryptography.
Still, a lack of security coordination between automakers, suppliers, and other third-party app developers leaves flaws and loopholes to be discovered. Those same two researchers last year explained in detail how a Jeep Cherokee had been hacked through a security flaw in the head unit, to control the sound system, and to track the vehicle through its navigation system.
That led to the recall of 1.4 million U.S. vehicles, as well as an expanded recall later.
(More sophisticated) crimes of opportunity
These aren’t the sorts of crimes of opportunity you might find on the street, with keys left in a car, or a purse left inside an unlocked vehicle. Most of these flaws would take some effort and expertise to exploit—yet they remain a serious vulnerability.
Trinity, professional hacker [from The Matrix]
The CarWings hack in the Nissan app reportedly required only the vehicle’s VIN to authenticate the app; whereas most other apps require at least one other identifier, like an e-mail and personalized PIN or password.
Sam Abuelsamid, a senior research analyst at Navigant Research, called the approach, if true, "totally unacceptable."
“Manufacturers need to develop much more robust methods of authenticating remote apps that include additional verification factors,” said Abuelsamid, "before something catastrophic happens.”
A better way than going public?
Abuelsamid points to responsible disclosure programs that Tesla and GM have announced, through which security researchers (and hackers) can provide vulnerabilities—perhaps with a reward, or recognition—instead of first going public.
Tesla Model S service apps [CleanTechnica]
As such, automakers also need to understand that vehicle apps are different—not just that they need to hold to higher standards for being secure and bug-free, but that they need to be supported far longer than typical smartphone apps.
Anything less would be undercutting the transformative potential of these technologies.