Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Nissan Leaf EV doesnt require authentication

Nissan Leaf EV doesnt require authentication

by Nikola Strahija on February 25th, 2016 An attendee of a computer security workshop discovered that Nissan Leaf's API doesn't require authentication to control certain features of this electric vehicle.


The workshop, lead by Troy Hunt, among other things teaches how to inspect, intercept and control API requests between client apps backend services running on a server - and that's where things got interesting for the particular attendee of this workshop.

He (requested to remain nameless so we'll call him Jan), decided to test Nissan's mobile app for it's EV LEAF and found out that he could control other people's LEAFs - without authentication. The way the app and Nissan's backend services are designed is such that there is no authentication at all. All you need to do is to send the vehicle's VIN number. Troy recorded a video with a fellow researcher Scott Helme for his blog:



Front screen of Nissan LEAF's app:
Nissan Leaf EV app front screen

Upon running the app, it downloads info from the following URL via a GET request:
GET https://[nissan-backend-api].com/orchestration_1111/gdc/BatteryStatusRecordsRequest.php?RegionCode=NE&lg=no-NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/Paris&TimeFrom=2014-09-27T09:15:21

and gets a JSON response with battery status, plugin state, air conditioning status:
Nissan Leaf EV app first info JSON response

Now if you look at the GET request closely you'll notice that it only sends the VIN number, not a token/hash, password or anything that could be in the realm of authentication. Jan continued to look at the requests being sent by the app during AC On/Off commands and noticed that even then the app didn't send any kind of authentication but just the basic VIN.

URL used to send the AC On/Off request:
GET https://[nissan-backend-api].com/orchestration_1111/gdc/ACRemoteRequest.php?RegionCode=NE&lg=no-NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/Paris

and the JSON response:
Nissan Leaf EV app AC On/Off JSON response

The following day at the workshop Jan had shown Troy a photo of a Nissan Leaf VIN he found on the Internet. They sent a general API request with that VIN number and got a response back. Since the original VIN and the one found on the Internet differed by only 5 digits they decided to test about 100 different VINs.

Please note, to the best of my knowledge and with information that is available right now, this API attack cannot stop the engine, hit the brakes or do anything to put lives in danger, however it can disclose information or empty the car's battery. Since the API doesn't talk to the server directly shutting this service down can be done quickly. Implementing authentication requires client updates but that shouldn't be a problem. What bothers me is not knowing how many functionalities of EV cars are accessible over the air whether authenticated or not. EVs are slowly gaining in numbers and a public disclosure of a vulnerability like this is just a start, in my opinion.
We know for a fact that Tesla can be unlocked remotely by their service center and over-the-phone authentication, but what else? How secure is Tesla-to-server communication? What about Chevy Bolt - will they do the same mistake as Nissan?

If you want to know a bit more about the whole process that Troy and Jan went through using BURP Suite you should check out Troy's blog.

Update 1, 25 Feb, 12:00 - Nissan has taken the API service offline.
Update 2, 25 Feb, 14:20 - According to a user on Troy's blog and further correspondence via email, it appears that Canadian API is still accessible using only the VIN.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »