Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Webhead
1907 posts

Uber Geek
+1 received by user: 564

Trusted
Subscriber

Topic # 192056 25-Feb-2016 15:45
Send private message

This story turned up in my feeds today:

 

Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs

 

The short of it is: If you have a Nissan Leaf and have set up the app to control the car, ANYONE ANYWHERE can control the same functions you can control via the app. There is NO security what so ever, and the only thing an "attacker" needs is the VIN of your car.

 

Talk about lack of security.





Create new topic

gzt

9399 posts

Uber Geek
+1 received by user: 1365


  Reply # 1499227 25-Feb-2016 15:57
Send private message

This is only important if I can use it to turn off the annoying taillights. But otherwise I like the Leaf.

2850 posts

Uber Geek
+1 received by user: 626


  Reply # 1499228 25-Feb-2016 16:04
Send private message

well you could until today:

 

Update, 25 Feb: Nissan has now taken the service offline.


 
 
 
 




Webhead
1907 posts

Uber Geek
+1 received by user: 564

Trusted
Subscriber

  Reply # 1499240 25-Feb-2016 16:38
Send private message

wellygary:

 

well you could until today:

 

Update, 25 Feb: Nissan has now taken the service offline.

 

 

 

 

Which is the right thing to do. But it boggles the mind how a car company can make something like this. Its impossible to make it less secure.





1029 posts

Uber Geek
+1 received by user: 222


  Reply # 1499686 26-Feb-2016 11:12
Send private message

Manual suggests, quote: "Data Center allows for various remote function services.
. Li-ion battery status check
. Remote charge: The function of starting Li-ion battery charge or starting the heater and air conditioner is available using your personal computer or internet enabled smart phone.
. Unplugged status: A notification e-mail will be sent to your personal computer or internet enabled smart phone if the plug is not connected at the
certain time you selected, after you turning off the power switch in registered place." 

 

Comment: When you turn AV unit on - there is menu to allow or disallow remote access. Going further into the setting - TCU can be easily deactivated by the user.

 

When they said in the report that hacker was able to quote: "review its driving record" - that is interesting claim. What excactly? Was the hacker "the man in the middle" intercepting traffic between the car and the data centre?

 

 




Webhead
1907 posts

Uber Geek
+1 received by user: 564

Trusted
Subscriber

  Reply # 1499692 26-Feb-2016 11:23
Send private message

@Ruki - its right there in the story. No man in the middle, just have to known the VIN (or guess it).

 

Just search for "driving history" in the story, and you will find the data that were accessible.

 

From what I understand they only used commands that were available in the app (looking at network traffic between the app and the server), so there might have been other data in the system that they didn't find.

 

Mind you, the service is closed now, and hopefully when they bring it online again it will be secured, instead of being completely accessible to the whole world.





1029 posts

Uber Geek
+1 received by user: 222


  Reply # 1499905 26-Feb-2016 14:59
Send private message

jarledb:

 

.... No man in the middle, just have to known the VIN (or guess it).

 

... Mind you, the service is closed now, and hopefully when they bring it online again it will be secured, instead of being completely accessible to the whole world.

 

 

I have the AV unit frm USA Leaf in my LAB. VIN is not recorded in AV unit according to the Service Manual. It is recorded in TCU. If you switch "Carwings" off - TCU should not be sending any data. Knowing VIN if TCU is not switched on is of no value. Even if it is on - there is nothing really of an issue. Your destination point in the GPS is perhaps something paranoid person may have concerns about.

 

In New Zealand - Japanese Leafs have TCU with CDMA (correct me as I did not see it in person only online). That means - even if you want to set it up - there is only one way of doig it - swap TCU to the one with the SIM which will work on our networks and subscribe to the service. Carwings (Nissan Connect EV) does not work without subscribtion.

 

Your mobile phone is more vulnarable in that sense.

 

IT Geeks here may express thier educated view on how is that different from many applications on Android Phones from Google Play requiring access tp your personal data including GPS position etc? How secure is that? I guess hacker can't turn your aircon on via your mobile :-)
As for the Leaf - I may ask to send me TCU unit to see if it can accept local SIM cards. The problem is - you need to have Consult3+ to program VIN into TCU. I do not have Consult Interface Cable. Anyone?


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Fujifilm X beats its best with new top of the range, high-performance camera
Posted 24-Feb-2018 14:05


One million kiwis affected by cybercrime
Posted 24-Feb-2018 13:58


New Zealanders want to engage with government online and via mobile apps
Posted 24-Feb-2018 13:56


Samsung launches Samsung Max
Posted 24-Feb-2018 13:52


CPTPP text and National Interest Analysis released for public scrutiny
Posted 21-Feb-2018 19:43


Foodstuffs to trial digitised shopping trolleys
Posted 21-Feb-2018 18:27


2018: The year of zero-login, smart cars & the biometrics of things
Posted 21-Feb-2018 18:25


Intel reimagines data centre storage with new 3D NAND SSDs
Posted 16-Feb-2018 15:21


Ground-breaking business programme begins in Hamilton
Posted 16-Feb-2018 10:18


Government to continue search for first Chief Technology Officer
Posted 12-Feb-2018 20:30


Time to take Appleā€™s iPad Pro seriously
Posted 12-Feb-2018 16:54


New Fujifilm X-A5 brings selfie features to mirrorless camera
Posted 9-Feb-2018 09:12


D-Link ANZ expands connected smart home with new HD Wi-Fi cameras
Posted 9-Feb-2018 09:01


Dragon Professional for Mac V6: Near perfect dictation
Posted 9-Feb-2018 08:26


OPPO announces R11s with claims to be the picture perfect smartphone
Posted 2-Feb-2018 13:28



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.