Nissan’s connected car app offline after trivial to exploit vulnerability revealed

On Wednesday Nissan disabled an app that allowed owners of its electric Leaf car to control their cars’ heating and cooling from their phones, after the Australian researcher Troy Hunt showed he could use it to control others’ cars as well. The NissanConnect EV app, formerly called CarWings, enabled a remote hacker to access the Leaf’s temperature controls and review its driving record, merely by knowing the car’s VIN (vehicle identification number). The app will turn the climate control on or off—it decided not to bother requiring any kind of authentication. When a Leaf owner connects to their car via a smartphone, the only information that Nissan’s APIs use to target the car is its VIN—the requests are all anonymous. Those are the findings of Troy Hunt and Scott Helme, who published their findings on Wednesday. Thursday, Nissan took the service offline.   Conclusion In order to speed up the release, they had to cut corners. Well, they cut the wrong corners. These are the rules of connecting apps to a backend: always use encrypted connections authenticate the client authorize the client (which is different than the authentication) to access various functions filter and validate the incoming data   Sources:

More insecure software around car (in)security

As I mentioned already, anything that runs software has to abide to secure coding principles. Cars run more software than many other devices around us. And they run special software… which needs to be taken care of by other special software. And when that software is vulnerable, then you’re in trouble! Now some researchers discovered that by exploiting a zero-day exploit found in car mechanics software used to debug and fix cars sold by the Volkswagen Group. This software is built and sold by third-parties, not Volkswagen. This is not new, I already wrote an article about this: As expected: the USB Stick-like infection from PCs goes to automotive as well! The researchers said they only experimented with the exploit on an Audi TT model, but other car makes and models may be vulnerable as well, at least in theory. The attack leverages poor PC security measures, not the actual car software (source: Softpedia) The attack, as described by the three scientists, relies on infecting with a car dealership’s computers with malware which leverages this vulnerability in the car computer debug tools used by mechanics. When this tool is connected to an Audi TT to perform routine maintenance checks or fixes, the malware…

As expected: the USB Stick-like infection from PCs goes to automotive as well!

Just seen this article on Wired Magazine: Car Hack Technique Uses Dealerships to Spread Malware At the Derbycon hacker conference in Louisville, Kentucky last week, security consultant Craig Smith presented a tool designed to find security vulnerabilities in equipment that’s used by mechanics and dealerships to update car software and run vehicle diagnostics, and sold by companies like Snap-On and Bosch. Smith’s invention, built with around $20 of hardware and free software that he’s released on GitHub, is designed to seek out—and hopefully help fix—bugs in those dealership tools that could transform them into a devious method of hacking thousands of vehicles. If a hacker were to bring in a malware-harboring car for service, the vehicle could spread that infection to a dealership’s testing equipment, which in turn would spread the malware to every vehicle the dealership services, kicking off an epidemic of nasty code capable of attacking critical driving systems like transmission and brakes, Smith said in his Derbycon talk. He called that car-hacking nightmare scenario an “auto brothel.” “Once you compromise a dealership, you’d have a lot of control,” says Smith, who founded the open source car hacking group Open Garages, and wrote the Car Hacker’s Handbook. “You could…

%d bloggers like this: