Insecure APIs mean hackers can take control of electric cars through Internet
Drivers of Nissan Leaf cars were warned their electric cars could be remotely accessed by hackers via the internet to control some of its systems.
The flaw was discovered by Australian security researcher Troy Hunt and is focused on the Nissan Leaf’s mobile app.
While the flaw won’t allow hackers to take control of the car’s driving systems or unlock doors, it can command the car to turn up the heating or air conditioning, running down the car’s battery and leaving a driver stranded.
Hunt said in a blog post that using a web browser and knowledge of the target vehicle’s identification number (VIN), it was possible to take control.
In a video, Hunt demonstrated how he was able to control the systems of an electric car owned by a fellow security researcher in England while Troy himself was in Australia.
“We elected for me to sit outside in a sunny environment while Scott was shivering in the cold to demonstrate just how remote you can be and still control feature of someone else’s car, literally from the other end of the earth,” said Hunt.
Such exploits may be used to distract a driver and access private driving data.
Hunt had given Nissan a month to fix the flaw before he went public with the claim. He recommended user’s disable their Nissan CarWings account until a fix is implemented.
A Nissan spokeswoman told the BBC that the car maker was unable to comment on the matter at the present time.
Richard Kirk, senior vice president, AlienVault, told Internet of Business that there no user authorisation to validate that the user of the app is the owner of the car.
“It is hard to understand how a major global car manufacturer like Nissan could have a) allowed an app to be designed in such a way and b) not performed some degree of app security assessment and penetration testing before placing the app in the app store,” he said.
Electric cars and security flaws
Mark James, security specialist at ESET, told Internet of Business that drivers should ask themselves if the really need to connect to their cars through the internet or an app.
“The most likely answer is no, if you do then make sure you regularly check the information you are sending, most can be configured to turn features on and off and check after each update.
“We are no longer striding towards an internet connected world we are now running downhill towards anything and everything being connected without regard for security and safety”
In other news, a consortium of companies in the UK has secured government funding into a study of driverless cars in the UK.
The Atlas project is led by Ordinance Survey and counts among its members Satellite Applications Catapult, the Transport Research Laboratory (TRL), Sony Europe Ltd, two leading UK specialist SME’s in autonomous and navigation systems: GOBOTIX and OxTS, and the Royal Borough of Greenwich.
The investment will fund search and develop communication between vehicles and the roadside infrastructure. The Atlas project will commence 1 May 2016.
Jeremy Morley, Ordnance Survey’s chief geospatial scientist, stressed the strength of the consortium and the potential benefits from the Atlas project: “Autonomous vehicles will need to find their way reliably and safely through a vast network of streets while interacting with driven and other autonomous vehicles.”
“These vehicles will combine the power of advanced sensors to detect road conditions, cutting edge, 5G communications technology to access a stream of data about the world around them, and geographical databases of routes, destinations and points of interest. We’re already seeing developments along these lines as collaborations between mapping organisations and a range of car manufacturers – BMW, Audi, et al.”