Nissan LEAF Security Flaws Exposed

With the Internet of Things making connected objects an everyday occurrence, more engineers and consumers are turning their thoughts to security. While having smart products can enhance the consumer experience, many fear that their information is prone to hacking — and ultimately being controlled by someone else. Nissan is among headlines this week for a notable security breach of its LEAF vehicles; the electric car’s smartphone app, NissanConnect EV, has vulnerabilities. It is designed to calculate charge, driving range, heating and mileage.

The news broke when researchers Troy Hunt and Scott Helme discovered that they could connect to any LEAF via an insecure API (application programming interface) for the NissanConnect EV. Because the car is only identified through a VIN (vehicle identification number) on the app, Hunt and Helme found that anyone could possibly enumerate VINs to control the functions of any vehicle that responded. This meant that not only were heating and air-conditioning systems hackable, but current and historic journey data could also be accessed. The commands could be sent via a Web browser.

Despite the fact that driving capabilities are not controlled from NissanConnect EV, it does raise larger questions regarding security protocols for Internet of Things devices. According to the BBC, Nissan said there was no safety threat. However, the company has pulled the app and will relaunch it once it has been updated.

"No other critical driving elements of the Nissan Leaf are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence," a Nissan spokesman wrote to Computerworld. "The only functions that are affected are those controlled via the mobile phone -- all of which are still available to be used manually, as with any standard vehicle."

The event is certainly drawing commentary from the cybersecurity community at large, urging Nissan and other Internet of Things developers to invest in security measures for consumers.

"Companies developing IoT solutions focus on the feature and functionality set that they need to make the consumer experience easy and enjoyable. The developers have the best intentions and do a terrific job creating those applications. However they are typically not security experts and, therefore, implement protocols that either have limited or no security elements incorporated,” says Reiner Kappenberger, global product manager at HPE Security. "What manufacturers and developers of IoT devices need to consider is that it is not only the protocol they use but also the authentication and authorization to these services. Clearly the Nissan LEAF attack shows that neither of these were present but they could be fixed easily with a software update. It also demonstrates that the communication between the mobile device and the back end was not encrypted."

Even with industry response, security concerns will not be diminishing anytime soon. According to a Fall 2015 study by Rogue Software and Security Innovation, 90% of engineers said it is difficult to secure automotive applications. Over half of respondents felt security was an add-on feature to the software development cycle and feel they lack the training for security-enabling technologies.

“One of the most disappointing statistics is that over half the developers don’t think their company has the necessary training or technology to ensure that the software running in our cars is secure,” says Rod Cope, CTO of Rogue Wave Software. “This means that regardless of engineering talent, companies aren’t able to secure their code.”

Below you'll find news coverage from BBC.