Troy Hunt has uncovered a flaw within the Nissan Leaf’s companion app that allows hackers to see data about recent journeys and meddle with other aspects of the vehicle such as climate control and battery life. All they need is the vehicle identity number (VIN).
Mr. Hunt gave Nissan one month to fix the flaw prior to his unmasking of them in public. His stance on the issue is that Nissan should disable the app, which has no authentication on it. Speaking to IT Security Guru, Richard Kirk , Senior VP at AlienVault, had the following to say:
“According to the research done by Troy Hunt, this is one of the most basic security mistakes that could be made. There is no user authorisation to validate that the user of the app is the owner of the car. It is hard to understand how a major global car manufacturer like Nissan could have a) allowed an app to be designed in such a way and b) not performed some degree of app security assessment and penetration testing before placing the app in the app store.
“If the app or car system developer were to add new app features, such as remote door unlocking or remote engine disablement, and they assumed that the app itself was safe and secure, then there could be serious implications, including either the theft of a car or its contents, or even an accident. This might sound extreme however other car manufacturers already provide similar app features.”
This is why it’s so vulnerable – although not life threatening hacks, it’s essential that security on devices such as cars is kept at a high standard to prevent vulnerabilities such as the Jeep hack of 2015, where experts took control of the vehicle’s systems including brakes, stereo, steering and more – our video report of this is at the bottom of the page.
So are car companion apps really necessary? Or is the security risk just too great to ensure your safety on the roads? Well Mark James, a Security Specialist at ESET told us his take:
“The first thing I would ask myself is do I really need to connect my car to the internet either through website or smartphone app? The most likely answer is no, if you do then make sure you regularly check the information you are sending, most can be configured to turn features on and off and check after each update. We are no longer striding towards an internet connected world we are now running downhill towards anything and everything being connected without regard for security and safety. It may seem like an inconvenience to have authentication to be able to turn your heated seats or steering wheel on when it’s cold and icy in the morning but it’s better than having another portion of your private lives exposed for all to see and plunder.”
"So for now, it seems a lot of cases of our ecurity being traded off for the sake of convenience are taking place. So what can apps like this have added to them that’d reduce the risk?"
If we take this in the context of the countless recent stories on IoT devices being breached, it’s clear that there’s a shortfall in the industry inregard to the security of users. Rainer Kappenberger, Global Product Maganer at HPE Security – Data Security, told us that “companies developing IoT solutions focus on the feature and functionality set that they need to make the consumer experience easy and enjoyable. The developers have the best intentions and do a terrific job creating those applications. However they are typically not security experts and, therefore, implement protocols that either have limited or no security elements incorporated."
"Speaking on the climate within the industry as a whole, he continues “Making sure that security is a first class citizen during the design and development phase of those applications is more critical in the IoT space than ever before.
"While today’s security best practices focus on the security of the data, with IoT we now must consider the implications to physical security of infrastructure and of people, as we see in the connected car. What if other systems in the car could be breached?"
The post Leaf it out mate! Nissan car hijacked by security researcher appeared first on IT SECURITY GURU.