What started as a live demonstration with a student during a training conference has turned to scarlet-faced embarrassment for Nissan: its Leaf 'leccy shopping carts cars come with an unsecured app for checking the charge state and operating the air-con.
Troy Hunt, the Microsoft security bod best known for helping hack victims with his HaveIBeenPwned service, is part of a team-of-two (the other requesting anonymity) that turned up the utter security-we've-heard-of-it howler.
What Hunt's collaborator found and Hunt confirmed, by the straightforward mechanism of looking at what the Nissan Leaf's nifty mobile app sent over the wire, is that the Nissan Connect app uses Vehicle Identification Number (VIN) and nothing else as its access control mechanism.
Would you like replication? Here you go: other people noticed the open API without realising its security implications, and decided to use it to write an alternative version of the Nissan Connect app.
The good news – that you can't remotely start the engine – is tempered by the bad. This is an electric car, so it would be trivial to maliciously drain someone's battery if you knew their VIN.
Surely nobody would be that stupid?
Yes, they are. As Hunt notes, as he was investigating the issue late last year, other people had started noticing the same thing (including this forum post), and one of them, a security pro called Scott Helme, agreed to let Hunt reproduce the issue on his Leaf.
Their work and Hunt's work with the original collaborator amounts to this, as Helme says in Hunt's post: “It was built, intentionally, without security”.
There is no authorisation in the Leaf portal, and there's no secret token stored on the phone to restrict access to the owner: Hunt and others have tested the URL serving up vehicle data – and allowing control over cars – in ordinary browsers with the same result.
Hunt told The Register that since his post went live, others have come “out of the woodwork” with confirmation, having for example tested VIN-only access at Nissan Connect's Canada site.
By running a VIN search, Hunt was able to retrieve battery status of vehicles he had no other knowledge about.
“It's a consistent design decision to only use the VIN as the identifier”, he said.
There's one more thing: the unsecured app also represents a serious privacy breach, the kind that attracts regulator attention, because it lets attackers retrieve both personally-identifying information (it's not hard to associate a VIN with the owner), and driving history (right there in the app).
Nissan has told outlets like the BBC the issue is not “life-threatening” and that it will work on a “permanent and robust solutions”.
The Register will watch with interest to see how the company responds to the probably-inevitable privacy investigations to come.
That's also going to be a pain for users, since securing the app will at least mean they have to download a secured version. ®