Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Webhead
2493 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

#192056 25-Feb-2016 15:45
Send private message

This story turned up in my feeds today:

 

Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs

 

The short of it is: If you have a Nissan Leaf and have set up the app to control the car, ANYONE ANYWHERE can control the same functions you can control via the app. There is NO security what so ever, and the only thing an "attacker" needs is the VIN of your car.

 

Talk about lack of security.


Create new topic

gzt

11465 posts

Uber Geek

Lifetime subscriber

  #1499227 25-Feb-2016 15:57
Send private message

This is only important if I can use it to turn off the annoying taillights. But otherwise I like the Leaf.

4684 posts

Uber Geek


  #1499228 25-Feb-2016 16:04
Send private message

well you could until today:

 

Update, 25 Feb: Nissan has now taken the service offline.


 
 
 
 




Webhead
2493 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #1499240 25-Feb-2016 16:38
Send private message

wellygary:

 

well you could until today:

 

Update, 25 Feb: Nissan has now taken the service offline.

 

 

 

 

Which is the right thing to do. But it boggles the mind how a car company can make something like this. Its impossible to make it less secure.


1149 posts

Uber Geek


  #1499686 26-Feb-2016 11:12
Send private message

Manual suggests, quote: "Data Center allows for various remote function services.
. Li-ion battery status check
. Remote charge: The function of starting Li-ion battery charge or starting the heater and air conditioner is available using your personal computer or internet enabled smart phone.
. Unplugged status: A notification e-mail will be sent to your personal computer or internet enabled smart phone if the plug is not connected at the
certain time you selected, after you turning off the power switch in registered place." 

 

Comment: When you turn AV unit on - there is menu to allow or disallow remote access. Going further into the setting - TCU can be easily deactivated by the user.

 

When they said in the report that hacker was able to quote: "review its driving record" - that is interesting claim. What excactly? Was the hacker "the man in the middle" intercepting traffic between the car and the data centre?

 

 




Webhead
2493 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #1499692 26-Feb-2016 11:23
Send private message

@Ruki - its right there in the story. No man in the middle, just have to known the VIN (or guess it).

 

Just search for "driving history" in the story, and you will find the data that were accessible.

 

From what I understand they only used commands that were available in the app (looking at network traffic between the app and the server), so there might have been other data in the system that they didn't find.

 

Mind you, the service is closed now, and hopefully when they bring it online again it will be secured, instead of being completely accessible to the whole world.


1149 posts

Uber Geek


  #1499905 26-Feb-2016 14:59
Send private message

jarledb:

 

.... No man in the middle, just have to known the VIN (or guess it).

 

... Mind you, the service is closed now, and hopefully when they bring it online again it will be secured, instead of being completely accessible to the whole world.

 

 

I have the AV unit frm USA Leaf in my LAB. VIN is not recorded in AV unit according to the Service Manual. It is recorded in TCU. If you switch "Carwings" off - TCU should not be sending any data. Knowing VIN if TCU is not switched on is of no value. Even if it is on - there is nothing really of an issue. Your destination point in the GPS is perhaps something paranoid person may have concerns about.

 

In New Zealand - Japanese Leafs have TCU with CDMA (correct me as I did not see it in person only online). That means - even if you want to set it up - there is only one way of doig it - swap TCU to the one with the SIM which will work on our networks and subscribe to the service. Carwings (Nissan Connect EV) does not work without subscribtion.

 

Your mobile phone is more vulnarable in that sense.

 

IT Geeks here may express thier educated view on how is that different from many applications on Android Phones from Google Play requiring access tp your personal data including GPS position etc? How secure is that? I guess hacker can't turn your aircon on via your mobile :-)
As for the Leaf - I may ask to send me TCU unit to see if it can accept local SIM cards. The problem is - you need to have Consult3+ to program VIN into TCU. I do not have Consult Interface Cable. Anyone?


Create new topic





Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Chorus completes the build and commissioning of two new core Ethernet switches
Posted 8-Jul-2020 09:48


National Institute for Health Innovation develops treatment app for gambling
Posted 6-Jul-2020 16:25


Nokia 2.3 to be available in New Zealand
Posted 6-Jul-2020 12:30


Menulog change colours as parent company merges with Dutch food delivery service
Posted 2-Jul-2020 07:53


Techweek2020 goes digital to make it easier for Kiwis to connect and learn
Posted 2-Jul-2020 07:48


Catalyst Cloud launches new Solutions Hub to support their kiwi Partners and Customers
Posted 2-Jul-2020 07:44


Microsoft to help New Zealand job seekers acquire new digital skills needed for the COVID-19 economy
Posted 2-Jul-2020 07:41


Hewlett Packard Enterprise introduces new HPE GreenLake cloud services
Posted 24-Jun-2020 08:07


New cloud data protection services from Hewlett Packard Enterprise
Posted 24-Jun-2020 07:58


Hewlett Packard Enterprise unveils HPE Ezmeral, new software portfolio and brand
Posted 24-Jun-2020 07:10


Apple reveals new developer technologies to foster the next generation of apps
Posted 23-Jun-2020 15:30


Poly introduces solutions for Microsoft Teams Rooms
Posted 23-Jun-2020 15:14


Lenovo launches new ThinkPad P Series mobile workstations
Posted 23-Jun-2020 09:17


Lenovo brings Linux certification to ThinkPad and ThinkStation Workstation portfolio
Posted 23-Jun-2020 08:56


Apple introduces new features for iPhone iOS14 and iPadOS 14
Posted 23-Jun-2020 08:28



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.