Nissan Carwings/Connect could be hacked

steelboots

http://www.bbc.co.uk/news/technology-35642749

I did wonder when setting up the Nissan Connect account, all you needed was a VIN number, and you could setup the account and see where the car is, its journeys, turn on climate control etc...

Ok, probably nothing too serious, but concerning all the same.

BoatMad

the API is a simple REST interface, I suspect the hack is into nissans servers, not direct to the car

Rafal

BoatMad wrote: »

the API is a simple REST interface, I suspect the hack is into nissans servers, not direct to the car

I would like to hope that it is the case. Nissan software development practices, however, give me zero confidence. I fear the TCU-backend might be insecure, too.

BoatMad

Rafal wrote: »

I would like to hope that it is the case. Nissan software development practices, however, give me zero confidence. I fear the TCU-backend might be insecure, too.

you'd have to hack the GSM network to access the TCU directly, thats not easy , breaking in via the nissan server is much easier and looks like what was done

Rafal

BoatMad wrote: »

you'd have to hack the GSM network to access the TCU directly, thats not easy , breaking in via the nissan server is much easier and looks like what was done

Let's hope so, and let's hope that the TCU doesn't just go online with an IP address.

The Nissan system uses combination of text messages to tell the car that a request has been made and 2G to actually relay the information from the car. The MY16 has 3G, have no idea if the system still works the same. The data connection from car happens directly to Nissan and the client app just queries the website where the updated status from car is eventually shown. So even if connection from car to Nissan was not encrypted the hacker would still need access to Nissan's servers to tap into that.

In general I can't believe that the unencrypted client-server setup would have passed security audit at the "Microsoft - Nissan alliance" when they recently put the new backend servers in place. The system as described by BBC sounds like an early proof of concept setup moved to production. Let's hope that it not true with the MS Azure based setup but only on the original Carwings setup.

BoatMad

Rafal wrote: »

Let's hope so, and let's hope that the TCU doesn't just go online with an IP address.

I do/did a lot of software for GSM car monitors.

It has been alluded to that in fact the Leaf uses SMS to communicate with the server, I find that hard to believe these days especially if the TCU has just gone 3G. If its a data connection it can have a IP addresses or it may not depending on how the link is established.

But its tricky to insert yourself into a IP stream, not to mention even discovering the IP itself.

I suspect they have just hacked the sever via user logins

BoatMad

the hack is detailed here

http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html

Its basically a hack of the JSON data via the REST API to nissans server. its not direct to the car

incredibly nissan are supporting unauthorised HTTP GET sessions using just the VIN to identify the vehicle - just incredibly sloppy ( but not unusual in machine too machine systems, often security is low or non existent )

The driving history can be extracted using this method, which gives you distance travelled and battery consumption data.

This needs fixing and should never have been designed like this, OAuth etc should have been built in from the start

BoatMad

It was a " white hat hack' all the details have been reported to Nissan , so they know the server API ( which the app uses) is utterly crap.

The fact that the API requires no independent verification has been known for some time

see http://www.mynissanleaf.com/viewtopic.php?f=27&t=2214&start=100

Sounds like it will be quite an easy thing to fix. Just generate a key on the client app based on e.g. user's email and password and then make the server to calculate this key before any action is taken. Or have public and private keys like in ssh etc. etc.

Once this has been patched everybody will have to update their client app to have any access.

BoatMad

samih wrote: »

Sounds like it will be quite an easy thing to fix. Just generate a key on the client app based on e.g. user's email and password and then make the server to calculate this key before any action is taken. Or have public and private keys like in ssh etc. etc.

Once this has been patched everybody will have to update their client app to have any access.

Any number of methods available SSL, Oauth etc , all standardised and readily understood by software engineers, The fact that Nissan allowed an open API , restricted by region code and VIN to exist in the first place smacks of a company that has no technical understanding of internet software .

BoatMad

BoatMad wrote: »

Any number of methods available SSL, Oauth etc , all standardised and readily understood by software engineers, The fact that Nissan allowed an open API , restricted by region code and VIN to exist in the first place smacks of a company that has no technical understanding of internet software .

Or that they moved a demo setup in production.

BoatMad

samih wrote: »

Or that they moved a demo setup in production.

whatever , someone needs to be fired

mylesm

Cant Log on to Nissan connect App this morning is everyone else the same have Nissan shut down access waiting for fix

mylesm

Padraig Mor

mylesm wrote: »

Cant Log on to Nissan connect App this morning is everyone else the same have Nissan shut down access waiting for fix

mylesm

Business as usual for Carwings / Nissan Connect I'm afraid! Hopefully somebody will hack it and make the bloody thing work!

Rafal

mylesm wrote: »

Cant Log on to Nissan connect App this morning is everyone else the same have Nissan shut down access waiting for fix

mylesm

Nissan disabled it last night: http://www.usatoday.com/story/tech/news/2016/02/24/nissan-disables-app-hacked-electric-leaf-smart-phone-troy-hunt/80882756/

BoatMad

Rafal wrote: »

Nissan disabled it last night: http://www.usatoday.com/story/tech/news/2016/02/24/nissan-disables-app-hacked-electric-leaf-smart-phone-troy-hunt/80882756/

so much for all the work on the TCU and its delays

mylesm

I have to say for Someone who was going to buy a New Leaf all these problems are really not on

It is really very poor Customer Service from Nissan the Cars are advertised with all the features and when you purchase one some of the features dont work

I know most people on here are very EV Friendly and indeed I am but there is no excuse for Nissan Releasing this before it was completely operable

Although I like my Leaf I would certainly like to have all the Features I paid for

And also if they disabled the app as per above link why did nissan not inform each A/C holder they have our contact details the only way I knew it was disabled was through this forum its way beyond poor customer service

myles

BoatMad

Its crazy to disable the app, there was no real issue , and they could have fixed the security while allowing the app to remain online

now it will take months to sort I suspect as it will need a new server side fix as well

faithfulfan

BoatMad wrote: »

Its crazy to disable the app, there was no real issue , and they could have fixed the security while allowing the app to remain online

now it will take months to sort I suspect as it will need a new server side fix as well

^This^

Daft move by Nissan to remove the app. I find one of the best ways to extend the range of the leaf on a cold day is to pre-heat via the app while the car is plugged in. The car defrosts and also tops off the battery while doing so. Spectacular own goal, even rolling back to Carwings would have solved the issue afaik.

BoatMad

even rolling back to Carwings would have solved the issue afaik

I believe they have disabled Nissan Connect EV have they not as well

faithfulfan

They have disabled the Nissan Connect app but not the Connect service as I can still access via web browser.

The Nissan Connect app replaced the Carwings app but it seems Carwings did not have the same security flaw, more info here:
https://transportevolved.com/2016/02/24/major-security-flaw-with-nissanconnect-ev-telematics-system-means-hackers-can-access-your-leaf-electric-car-with-just-its-vin/

BoatMad

faithfulfan wrote: »

They have disabled the Nissan Connect app but not the Connect service as I can still access via web browser.

The Nissan Connect app replaced the Carwings app but it seems Carwings did not have the same security flaw, more info here:
https://transportevolved.com/2016/02/24/major-security-flaw-with-nissanconnect-ev-telematics-system-means-hackers-can-access-your-leaf-electric-car-with-just-its-vin/

Just to be clear, The Hack was done on CARwings, not NissanConnectEV. but as I understand it the API is the same anyway

are we correct in that both Carwigs and NissanConnectEV APIs are no longer internet accessible and hence the iPhone app is done on both systems???

faithfulfan

As far as I can tell it is the Connect app that has the flaw and not the older Carwings app see info below:

As regulars to the site will know, NissanConnect EV launched last year as a replacement to the notoriously unreliable Nissan Carwings system for electric cars. While offering the same level of functionality as one another to pre-2016 Nissan electric vehicles, Carwings and NissanConnect EV may connect to customers’ cars in the same way as one another, but use a completely different user-facing API to form as the bridge between an owner’s smartphone or computer and Nissan’s own servers.
With Carwings, Nissan generated a special authentication certificate upon login, which had to be transmitted each and every time a request was made of the XML SOAP API. While it was secure, it was the source of some frustration of developers who often called it a “pain to work with.”
Nissan’s new API by contrast, follows more contemporary methods of passing data from one device to another and, when examined in its original format, seems to ask for the usual login details that you’d expect of any securely-implemented service. But while those who have documented the API note that Nissan’s initial login process does indeed seem to securely transmit an owner’s NissanConnect EV username and password over https, subsequent requests do not.

BoatMad

faithfulfan wrote: »

As far as I can tell it is the Connect app that has the flaw and not the older Carwings app see info below:

I dont think its all that difference, the carwings API, transmitted a sessionID and serve id, but that all you needed for that was access to a valid VIN ( any VIN and your session ID) but maybe you are right people bandy about Carwings and NCEV and mistakingly mix then up

personally I like the wit of this reply

"I think the biggest shock is that you actually got a carwings API to work at all!

seemingly the web portal continues to work
"


EDIT: You are quite correct the issue is solely to do with NissanConnectEV and is API