Nissan Leaf "Hacked" - warning

[Twiglett]

I put "Hacked" because it isn't really a hack, rather it looks like Nissan have been practicing security through obscurity rather than designing it in from the start.
http://www.bbc.com/news/technology-35642749
Basically the Nissan telematics application just uses the VIN as its authentication without any form of validation.
The attacker can then do everything that the owner has enabled remotely.
On the Leaf, that is heating/cooling, access to telemetry and driving data etc etc

Contacting Nissan just got a standard "we take security seriously" nonsense.
Still looking for what ever method can be used to stop anyone with my VIN from controlling my car etc

 

[Twiglett]

Just to update
The link to the original information from the guy who found it.
http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html

Looks like the only way to block this right now is to remove your EVConnect account - and the only way to do that is to decline the EVConnect agreement.
Without that anyone can leave you stranded just by turning on your AC remotely or turning off time charging etc

 

[MikeBur]

Just to update
The link to the original information from the guy who found it.
http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html

Looks like the only way to block this right now is to remove your EVConnect account - and the only way to do that is to decline the EVConnect agreement.
Without that anyone can leave you stranded just by turning on your AC remotely or turning off time charging etc

Yep, from the video, looks like this would be reasonably simple for Nissan to fix and although limited to non-critical systems the ability to run down anyone's battery remotely, without authorization, is unfortunate.

Turn off EVConnect access appears to be the only solution until Nissan addresses

 

[andrewket]

You can't fix stupid.

 

[jerry33]

I haven't been able to connect to mine for a few weeks. They changed their site and to update they have insisted on putting in your social security number, which isn't legal for them to do.

 

[dhanson865]

no auth, no security.

The only saving grace is 2G goes dead at the end of this year so even if they do or don't fix this it'll take a hardware radio upgrade to get these back to a hackable state.

 

[Twiglett]

no auth, no security.

The only saving grace is 2G goes dead at the end of this year so even if they do or don't fix this it'll take a hardware radio upgrade to get these back to a hackable state.

Built in obsolescence and Nissan wonder why they can't increase market share.
I can only hope the Model ☰ forces the Leaf 2 back to the drawing board.
After the entertainment I've had with my Leaf I will never own another Nissan.

 

[RiverBrick]

I haven't been able to connect to mine for a few weeks...

When they forced the switch from Carwings to Nissan Connect they broke remote access for me, except I have been using this so-called hack for heating this Winter.

This information has been circulating for at least two years as a work around for Carwings issues. AFAIK there is no access to user information or telemetry. Just HVAC on/off.

In the unlikely event you're targeted by someone turning on heat when it might make a difference, you can undo their action. Just enable text and email notifications for HVAC events and you'll know.

 

[Twiglett]

When they forced the switch from Carwings to Nissan Connect they broke remote access for me, except I have been using this so-called hack for heating this Winter.

This information has been circulating for at least two years as a work around for Carwings issues. AFAIK there is no access to user information or telemetry. Just HVAC on/off.

In the unlikely event you're targeted by someone turning on heat when it might make a difference, you can undo their action. Just enable text and email notifications for HVAC events and you'll know.

sadly this is not just enabling heat etc, it allows anything you can do with carwings/EVConnect
So changing charge time, stop charging, heat time etc
Check the video on Troy's site - happily download data - basically publicly available.

 

[SabrToothSqrl]

So... Can I just write a script that runs through all the Vin numbers, and sets all the HVAC to max heat, grabs all info, and moves to next?

strictly... For research, of course. Not the mass depletion of leaf batteries as a joke.

 

[dhanson865]

sadly this is not just enabling heat etc, it allows anything you can do with carwings/EVConnect
So changing charge time, stop charging, heat time etc
Check the video on Troy's site - happily download data - basically publicly available.

You can't stop charging with the API.

You can do the rest.

Starting charging would only be malicious if TOU rates were in affect (making someone pay for more expensive electricity) or the car was in a very hot environment and you started charging in the afternoon sun (in which case the car probably isn't plugged in).

The heat/AC is forced at 75F and nothing in the API can change that so you can't heat the car above that or cool the car below that. If it is near 70F outside it won't cost anyone any real energy. It'd be an issue in extreme cold though.

Getting your email address from the API repsonses would likely be more malicious than anything else they can do with it.

- - - Updated - - -

So... Can I just write a script that runs through all the Vin numbers, and sets all the HVAC to max heat, grabs all info, and moves to next?

strictly... For research, of course. Not the mass depletion of leaf batteries as a joke.

again the leaf will only preheat to 75F and precool to 75F, nothing in the API can override that, they hard coded it in the leaf firmware with no override.

 

[pchilds]

Glad I sold my LEAF. The wife said I had to sell the LEAF to get a Tesla, done, next. :biggrin:

 

[eye.surgeon]

I haven't been able to connect to mine for a few weeks. They changed their site and to update they have insisted on putting in your social security number, which isn't legal for them to do.

Of course it's legal. Anyone can ask anyone if they will willingly disclose their SSN. It's not illegal for them to require it to participate in an optional service they are offering. If you don't like it, you don't have to use it.

 

[dhanson865]

I haven't been able to connect to mine for a few weeks. They changed their site and to update they have insisted on putting in your social security number, which isn't legal for them to do.

Odd, I just checked and the site and app still work for me and I've never been prompted for a SSN. Either you are doing something different than me or Nissan is doing something different for you than they do for me.

are you starting from Owner Portal aka https: owners.nissanusa.com/nowners/user/home or another URL?

 

[Twiglett]

You can't stop charging with the API.

You can do the rest.

Starting charging would only be malicious if TOU rates were in affect (making someone pay for more expensive electricity) or the car was in a very hot environment and you started charging in the afternoon sun (in which case the car probably isn't plugged in).

The heat/AC is forced at 75F and nothing in the API can change that so you can't heat the car above that or cool the car below that. If it is near 70F outside it won't cost anyone any real energy. It'd be an issue in extreme cold though.

Getting your email address from the API repsonses would likely be more malicious than anything else they can do with it.

- - - Updated - - -



again the leaf will only preheat to 75F and precool to 75F, nothing in the API can override that, they hard coded it in the leaf firmware with no override.

The auto AC/Heat only runs for a limited time anyway, maybe 15-20 minutes, but the current draw is really high and would be the difference between getting home or not for me.
The thing about the charging is changing the time that the charge happens (or just cancelling it). I have mine set to make sure it is complete before 4am to make sure I roll out with a full charge each morning.
Essentially anything on their site is public access. There are already websites that let you query any Leaf in the world.
And Nissan still have no response - pathetic.
Roll on Model 3

 

[cwerdna]

The heat/AC is forced at 75F and nothing in the API can change that so you can't heat the car above that or cool the car below that. If it is near 70F outside it won't cost anyone any real energy. It'd be an issue in extreme cold though.
..
again the leaf will only preheat to 75F and precool to 75F, nothing in the API can override that, they hard coded it in the leaf firmware with no override.

On '13+ Leafs, you can change the desired temperature for the pre-heat/pre-cool via the car's menus, but NOT thru the Carwings/NissanConnect app. Mine's currently set to 72 F.

The auto AC/Heat only runs for a limited time anyway, maybe 15-20 minutes, but the current draw is really high and would be the difference between getting home or not for me.

IIRC, it runs for up to an hour when the car's plugged into a working EVSE. If it's not plugged in, it stops after 15 minutes.

And Nissan still have no response - pathetic.

They disabled it and provided a response at Nissan Leaf app deactivated because it's hackable. I actually found NissanConnect EV Update: Smartphone App, API No-Longer Accepting Connections As Nissan Works to Fix Flaw | Transport Evolved first and confirmed that NissanConnect no longer works for me via Android and iOS versions of their app.

 

[Canuck]

I haven't been able to connect to mine for a few weeks. They changed their site and to update they have insisted on putting in your social security number, which isn't legal for them to do.

I never had to give my SS number to use it. I couldn't even if asked since I'm a Canadian owner with a US vehicle. I posted over at the Leaf forum how to get Carwings (now EVConnect) to work in Canada with a US imported vehicle.

It really sucks that they turned off the app until this gets fixed. I have no concern about someone "hacking" into my Leaf, although there's no excuse for the vulnerability. My wife and kids use the app a lot to preheat. And we use it to go from 80% to 100% when extra range is needed.

 

[cwerdna]

I haven't been able to connect to mine for a few weeks. They changed their site and to update they have insisted on putting in your social security number, which isn't legal for them to do.

I didn't bother even checking their owner portal after the Carwings to NissanConnect switchover fiasco for which many people wasted a lot of time re-registering, calling Nissan, etc.

I just logged in tonight (wasn't a very smooth process) and had to update some info, but I was NEVER asked for my social security number. Perhaps your machine has malware which has injected extra fields onto web pages you visit (and thus sends that info to some evil server somewhere)? Example of a malware toolkit that can do this is Zeus. Skip to ~6:35 of Zeus: King of crimeware toolkits | SymantecTV for a demo.

 

[jerry33]

I didn't bother even checking their owner portal after the Carwings to NissanConnect switchover fiasco for which many people wasted a lot of time re-registering, calling Nissan, etc.

I just logged in tonight (wasn't a very smooth process) and had to update some info, but I was NEVER asked for my social security number. Perhaps your machine has malware which has injected extra fields onto web pages you visit (and thus sends that info to some evil server somewhere)? Example of a malware toolkit that can do this is Zeus. Skip to ~6:35 of Zeus: King of crimeware toolkits | SymantecTV for a demo.

It was the Nissan Connect that asked for it. There appeared to be no way to get to CarWings otherwise. The App just gives a login denied.

Zeus only affects computers with that insecure operating system on them.

 

[cwerdna]

It was the Nissan Connect that asked for it. There appeared to be no way to get to CarWings otherwise.

Nowhere on Owner Portal as part of updating your info or signing up for NissanConnect should it ask for your Social Security Number. I've never heard of anyone ever been asked that.

If so (and I can't fathom why), you should call NissanConnect Support | Nissan USA "Call our NissanConnectSM customer support agents toll-free, Monday through Saturday, 8am to 12am Eastern Time.

1-855-426-6628" to confirm whether they really should be asking and why.

I'm 95% sure I never had to give that info when I originally registered for Carwings when it was still called that in 2013. I'm 99% sure I never had to give that up either when I had to add the Leaf I bought in July 2015 to replace the Leaf I returned at end of lease at end of July 2015.

If you truly are being asked, I'm pointing back at malware on your machine.

Zeus only affects computers with that insecure operating system on them.

Sure, but Zeus was just an example. It isn't the only malware that can inject illicit content into your browser.

The App just gives a login denied.

Yeah, because of Nissan Leaf app deactivated because it's hackable. I can confirm it's disabled now for both my iPhone and Android phone. The error dialog on both is "The service cannot be provided. Please try it again or contact NISSAN." It was working about 24 - 48 hours earlier, as I know I'd set the climate control timer and/or remotely triggered CC in that time period.

I can still use Owner Portal though. That definitely still works.