Nissan Leaf EV doesnt require authenticationby Nikola Strahija on February 25th, 2016 An attendee of a computer security workshop discovered that Nissan Leaf's API doesn't require authentication to control certain features of this electric vehicle.
The workshop, lead by Troy Hunt, among other things teaches how to inspect, intercept and control API requests between client apps backend services running on a server - and that's where things got interesting for the particular attendee of this workshop.
He (requested to remain nameless so we'll call him Jan), decided to test Nissan's mobile app for it's EV LEAF and found out that he could control other people's LEAFs - without authentication. The way the app and Nissan's backend services are designed is such that there is no authentication at all. All you need to do is to send the vehicle's VIN number. Troy recorded a video with a fellow researcher Scott Helme for his blog:
Front screen of Nissan LEAF's app:
Upon running the app, it downloads info from the following URL via a GET request:
and gets a JSON response with battery status, plugin state, air conditioning status:
Now if you look at the GET request closely you'll notice that it only sends the VIN number, not a token/hash, password or anything that could be in the realm of authentication. Jan continued to look at the requests being sent by the app during AC On/Off commands and noticed that even then the app didn't send any kind of authentication but just the basic VIN.
URL used to send the AC On/Off request:
and the JSON response:
The following day at the workshop Jan had shown Troy a photo of a Nissan Leaf VIN he found on the Internet. They sent a general API request with that VIN number and got a response back. Since the original VIN and the one found on the Internet differed by only 5 digits they decided to test about 100 different VINs.
Please note, to the best of my knowledge and with information that is available right now, this API attack cannot stop the engine, hit the brakes or do anything to put lives in danger, however it can disclose information or empty the car's battery. Since the API doesn't talk to the server directly shutting this service down can be done quickly. Implementing authentication requires client updates but that shouldn't be a problem. What bothers me is not knowing how many functionalities of EV cars are accessible over the air whether authenticated or not. EVs are slowly gaining in numbers and a public disclosure of a vulnerability like this is just a start, in my opinion.
We know for a fact that Tesla can be unlocked remotely by their service center and over-the-phone authentication, but what else? How secure is Tesla-to-server communication? What about Chevy Bolt - will they do the same mistake as Nissan?
If you want to know a bit more about the whole process that Troy and Jan went through using BURP Suite you should check out Troy's blog.
Update 1, 25 Feb, 12:00 - Nissan has taken the API service offline.
Update 2, 25 Feb, 14:20 - According to a user on Troy's blog and further correspondence via email, it appears that Canadian API is still accessible using only the VIN.