Nissan cars can be hacked and controlled over internet

[WereCat]

Source: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html

 

 

Quote

 

The Nissan LEAF is an electric car which is particularly popular in countries like Norway which offer massive financial incentives to stay away from combustion engines. It does all the things you’d expect of a modern EV and because it’s here in the era of the internet of things, it also has a companion app:The LEAF is an electric car which is particularly popular in countries like Norway which offer massive financial incentives to stay away from combustion engines. It does all the things you’d expect of a modern EV and because it’s here in the era of the internet of things, it also has a companion app.

 

What the workshop attendee ultimately discovered was that not only could he connect to his LEAF over the internet and control features independently of how Nissan had designed the app, he could control other people’s LEAFs. I subsequently discovered that friend and fellow security researcher Scott Helme also has a LEAF so we recorded the following video to demonstrate the problem.What the workshop attendee ultimately discovered was that not only could he connect to his LEAF over the internet and control features independently of how Nissan had designed the app, he could control other people’s LEAFs. I subsequently discovered that friend and fellow security researcher Scott Helme also has a LEAF so we recorded the following video to demonstrate the problem.

 

 

The app is apparently indentifying with server just by using VIN number of the car and thats it .. no aditional authentification.

 

UPDATE (reminded by @Ethnod ):

http://www.wired.co.uk/news/archive/2016-02/24/nissan-car-hacked

 

Nissan has pulled its NissanConnect EV app after it was found the software could be hacked to remotely control in-car systems.

The company confirmed the flaw and said it would release an updated version "soon".Nissan has pulled its NissanConnect EV app after it was found the software could be hacked to remotely control in-car systems.

 

The company confirmed the flaw and said it would release an updated version "soon".

 

There is a ton more in the article I just quoted the important bit. Apparently the service was taken offline today but still works for Canadians?

Looks like car makers still dont understand or underestimate the importance of software security. It is not just Nissan problem but as was shown a while ago a lot of cars manufacturers have this problem.

[Volbet]

Time to create the world's biggest game of Rocket League. 

 

How can this still happen? A couple years ago it was Teslas that were hackable. You would think that carmakers would have learned from that.

 

[dragoon20005]

Can someone give me the source code so that I can hacked the GTR?

[WereCat]

Just now, dragoon20005 said:

Can someone give me the source code so that I can hacked the GTR?

Oh, you want to go "shopping" ?

[Ex14]

Well I think we can take comfort that current cars ARENT that connected as to allow FULL control of the car.

[dragoon20005]

Just now, WereCat said:

Oh, you want to go "shopping" ?

I am in need of a GTR

 

if i can get one for free

 

why not?

[Thony]

Im surr all cheap electric cars will have this issue for a long time to come. 

 

Such a great innovation ruined by simple lack of protection. 

 

Internet is a bitch. 

 

Watch Dogs concept becoming reality.

[NateGSR117]

Now that is scary  

[TopDollar]

If you're clever enough, you can hack the CAN bus of any car and control it.

[Ethnod]

http://www.wired.co.uk/news/archive/2016-02/24/nissan-car-hacked

 

Nissan have actually taken action, I'm impressed. makes a change, actual action

[Snadzies]

Honestly, not a fan of all the computers and automated systems being put into cars today.

Makes them a bitch to work on and vulnerable to outside influences.

[ionbasa]

Good thing I have an Nissan Frontier (manual transmission). There's nothing to hack on that car  even if someone wanted too!

[branden_lucero]

dont scare me away from owning a GT-R damnit.

[PCgamer324]

Awesome

[Blade of Grass]

7 hours ago, Ethnod said:

http://www.wired.co.uk/news/archive/2016-02/24/nissan-car-hacked

 

Nissan have actually taken action, I'm impressed. makes a change, actual action

The action they have taken is weak, the API is still accessible from other domains (see the notes at the bottom of Troy's article).

 

Keep in mind though people, this provides little control over the car. You can get telemetry data and turn on/off the AC, that's about it though! No driving or door locks or anything else. Still a terrible vulnerability, and the people who designed the API made an egregious mistake. 

[Beskamir]

As long as Nissan doesn't act like it's nothing and is actually doing things to properly address the issue then there's not much reason for us to rip them to shreds. It's when they underestimate the extent of a vulnerability that we are obligated to ridicule them.