Two security researchers discovered totally insecure APIs that made the world's best-selling electric car, the Nissan LEAF, vulnerable to hackers who could obtain private information about a vehicle's operations and travels and even control key vehicle functions.
Troy Hunt, Microsoft MVP for Developer Security, was tipped off by a Nissan LEAF owner going by the name Jan, who used Fiddler to proxy requests from his iPhone to the NissanConnect EV iOS app that LEAF owners can use to monitor and control their LEAF.
Jan noticed that the request to the API endpoint that returned information about the status of his vehicle's battery did not require any authentication and appeared to identify his vehicle with its Vehicle Identification Number, or VIN, which can easily be obtained.
Using a photo and a software tool called Burp, Hunt was able to find the VIN number of another LEAF and verify the unbelievable: with nothing more than a VIN associated with a Nissan LEAF vehicle whose owner registered with the NissanConnect EV app, an attacker could access information about and control certain functions of somebody else's automobile.
While the LEAF does not offer unfettered remote access to the most important vehicle functions, Scott Helme, an information security consultant who worked with Hunt to further investigate the flawed Nissan APIs using his own Nissan LEAF, pointed out that the shoddy APIs could be exploited to cause real harm:
Fortunately, the Nissan Leaf doesn't have features like remote unlock or remote start, like some vehicles from other manufacturers do, because that would be a disaster with what's been uncovered. Still, a malicious actor could cause a great deal of problems for owners of the Nissan Leaf. Being able to remotely turn on the AC for a car might not seem like a problem, but this could put a significant drain on the battery over a period of time as the attacker can keep activating it. It's much like being able to start the engine in a petrol car to run the AC, it's going to start consuming the fuel you have in the tank. If your car is parked on the drive overnight or at work for 10 hours and left running, you could have very little fuel left when you get back to it... You'd be stranded.
Absolutely No Excuses
Unfortunately, Nissan's insecure APIs did not go unnoticed by others. In fact, discussion of the APIs and the fact that they didn't require authentication was found in numerous locations, including a French message board thread that dated to December, suggesting that potentially large numbers of people have known about this for months.
Despite the fact that many people were aware of Nissan's totally vulnerable APIs, after ten emails, a phone call and more than a month, Nissan had not yet fixed its APIs and Hunt published a blog post detailing his findings. Following publication, Nissan apparently responded by taking its APIs offline and shuttering its NissanConnect EV app.
The automaker promised a new, secure app in the near future and promised that its "200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence."
But should they have confidence in Nissan?
It's hard to find reasonable excuses for such poorly-designed APIs. After all, while a company might have be forgiven for falling victim to a sophisticated attack, it's practically inconceivable that a company would build a API that provides access to an automobile's innards without requiring authentication.
What's worse, according to Hunt, differences between the API endpoints seen in Canada and Norway suggest that Nissan might have managed to build multiple APIs for different regions which all lacked access control. While Hunt wonders "if perhaps the build of these apps is delegated to local groups who perhaps don’t pass through the same levels of rigour you’d expect at the global level," this still presents an indefensible scenario.
APIs associated with passenger vehicles demand an even greater level of security and reliability. If the connected car is to go far, automakers like Nissan simply can't afford to make such basic API design mistakes.
The good news is that the tools used to experiment with and reverse engineer APIs – even secure ones – are now plentiful and accessible, so as this incident highlights, it is going to be increasingly difficult for automakers, as well as connected car platforms and app developers, to get away with mistakes of this kind.