Nissan Leaf security flaw puts vehicle telematics apps under scrutiny

The security flaw in Nissan Leaf's telematic-based systems makes the industry, and consumers, more alert to privacy risks in these applications. That's a good thing.

|
PRNewsFoto/Los Angeles Auto Show/File
A Nissan Leaf on display in Los Angeles in 2010.

Drive away from the showroom in one of the more technology-forward new vehicles—or really now, nearly anything with a luxury badge—and it’s likely you at least have the option to bring some key vehicle functions with you nearly everywhere you go: in the form of an app for your iOS or Android handset.

And while these apps may be a tremendous help when it comes to tasks like unlocking your car remotely, getting roadside assistance, remembering where you parked, checking in on your battery charge or fuel tank, or priming the climate control on a cold winter day, they can represent potential windows of opportunity if automakers aren’t extremely mindful of security.

That’s been underscored this week, as an Australian cybersecurity expert, Troy Hunt, showed that hackers could hijack some of the telematics-based systems in the Nissan Leaf—such as its climate control and journey data.

Hunt did acknowledge that the issue itself wasn’t directly life-threatening. However the climate-control flaw could potentially be used to tamper with a known car—running its battery down while parked, for instance—the trip-data flaw is the more serious one, from a privacy standpoint.

Nissan did the right thing

He recommended that the right thing for Nissan to do in this situation was to turn it off. And that’s exactly what the automaker did this past day—effectively disabling the app’s functions by making the server unavailable.

Nissan clarified to us that Leaf models in the U.S. and abroad are affected by the issue, as are eNV200 vans sold overseas.

And the automaker made the following statement:

The NissanConnect EV app (formerly called CarWings and is used for the Nissan LEAF) is currently unavailable. This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.

No other critical driving elements of the Nissan LEAF are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle. We apologize for the disappointment caused to our Nissan LEAF customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.

We're looking forward to launching updated versions of our apps very soon.

That said, there’s clearly a lot that automakers are missing. Two researchers, Charlie Miller and Chris Valasak, in 2014 found that most vehicle control systems weren’t designed with security as a top priority and could be compromised remotely. Cellular-based apps were one of the potential ways in which an intruder might access vehicle functions—although most were still behind keys, checksums, and multi-level cryptography.

Still, a lack of security coordination between automakers, suppliers, and other third-party app developers leaves flaws and loopholes to be discovered. Those same two researchers last year explained in detail how a Jeep Cherokee had been hacked through a security flaw in the head unit, control the sound system, and track the vehicle through its navigation system.

That led to the recall of 1.4 million U.S. vehicles, as well as an expanded recall later.

(More sophisticated) crimes of opportunity

These aren’t the sorts of crimes of opportunity you might find on the street, with keys left in a car, or a purse left inside an unlocked vehicle. Most of these flaws would take some effort and expertise to exploit—yet they remain a serious vulnerability.

The CarWings hack in the Nissan app reportedly required only the vehicle’s VIN to authenticate the app; whereas most other apps require at least one other identifier, like an e-mail and personalized PIN or password.

Sam Abuelsamid, a senior research analyst at Navigant Research, called the approach, if true, "totally unacceptable."

“Manufacturers need to develop much more robust methods of authenticating remote apps that include additional verification factors,” said Abuelsamid, "before  something catastrophic happens.”

A better way than going public?

Abuelsamid points to responsible disclosure programs that Tesla and GM have announced, through which security researchers (and hackers) can provide vulnerabilities—perhaps with a reward, or recognition—instead of first going public.

As such, automakers also need to understand that vehicle apps are different—not just that they need to hold to higher standards for being secure and bug-free, but that they need to be supported far longer than typical smartphone apps.

Anything less would be undercutting the transformative potential of these technologies.

This article first appeared at The Car Connection.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Nissan Leaf security flaw puts vehicle telematics apps under scrutiny
Read this article in
https://www.csmonitor.com/Business/In-Gear/2016/0226/Nissan-Leaf-security-flaw-puts-vehicle-telematics-apps-under-scrutiny
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe