Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nissan Leaf HVAC-Hack Vulnerability Disclosed (bbc.com)

Posted by timothy on from the malice-as-design-aid dept.

GWBasic writes: Some of Nissan's Leaf cars can be easily hacked, allowing their heating and air-conditioning systems to be hijacked, according to [Troy Hunt,] a prominent security researcher. .... Mr Hunt said the root of the problem was that the firm's NissanConnect app needed only a car's vehicle identification number (VIN) to take control. That means that pranksters could pretty easily run down a Leaf's battery via Nissan's app just by cycling through VIN numbers, which, the article points out, typically vary only in the last few digits for same-region Leafs, and for an electric car that's a big deal -- you can't just get a quick jump and be on your way. For now, Hunt says, the only thing owners can do is disable the remote-control feature completely.

16 of 116 comments (clear)

  1. Jesus christ by Anonymous Coward · · Score: 5, Insightful

    I've been driving for nearly 30 years and I have yet to come up with a reason why my car needs to be on the internet. Or my DVD player. Or TV. Or refrigerator. Or light bulbs. They all seem to work just fine in standalone mode.

    1. Re:Jesus christ by Alumoi · · Score: 2

      If it ain't broken don't fix it.
      "Improvement" for the sake of it it's not improvement, just more bling.

    2. Re:Jesus christ by gstoddart · · Score: 2

      When you see weekly stories about horses getting hacked via a smartphone app with trivial security, do let us know.

      If these connected cars have security as bad as this, it's pretty pathetic, if not bordering on criminally incompetent.

      The problem is every idiot rushes to the market to say "ZOMG ... teh app", and what they produce is complete and utter crap.

      --
      Lost at C:>. Found at C.
  2. At this point... by QuietLagoon · · Score: 3, Insightful
    ... for such an egregious lapse in security to be present in a vehicle, it should be criminal.

    .
    It appears that is the only way the car manufacturers will sit up and pay attention to the need for security in their vehicles.

  3. Remote Start / HVAC Runtime Anyone? by GTRacer · · Score: 2

    How is this any different than a regular ICE car having remote start? Those have been pitched as "get the car warmed up inside and out before stepping outside!" deals for ages now.

    That's a perfectly accepted use case now. The problem is the app/IoT side. Currently, it uses your keyfob to "authenticate" the request.

    --
    Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
  4. Re:Tiny non-problem discovered by cayenne8 · · Score: 3, Insightful

    Why would you have a remote control feature on a car enabled at ALL?

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  5. as a LEAF owner by Kevoco · · Score: 4, Informative

    this does not bug me, much - the Nissan EV apps's remote HVAC feature is nice for warming up the car in the morning while it is still attached to the home charger. You can heat the interior without impacting the traction battery. Little known fact: heating a LEAF that's been parked outside in freezing weather has a greater impact on the battery (driving range) than cooling the same vehicle in the summer.

  6. Re:Cycle through VINs? by msauve · · Score: 2

    But it's secure! Someone told them that best practice was to implement 2 part security, something they know, and something they have. They have the car, and they know the VIN.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  7. Re:Tiny non-problem discovered by beelsebob · · Score: 5, Insightful

    Because it's really convenient to be able to start the air conditioning remotely, so that the car is already cool when you get in it. This is especially important with electric cars, where the power to cool the car down initially will then be drawn from the grid, not the battery.

  8. Re:Tiny non-problem discovered by JackieBrown · · Score: 2

    I have seen those and can understand its appeal. Especially if it's limited against moving the car out of park.

    Picture yourself on a 20 degree day starting your car by remote and having the heat start while you sit in your warm living room enjoying your first cup of coffee.

  9. Re:Tiny non-problem discovered by bobbied · · Score: 3, Funny

    Why would you have a remote control feature on a car enabled at ALL?

    If Google is successful, it will soon also support the command "go pick up the pizza I ordered."

    How? Sit in the parking lot flashing lights and honking horn until somebody notices and drops the pie in the driver's seat?

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  10. All this talk by Marginal+Coward · · Score: 4, Funny

    All this talk about hijacking a car's HVAC system puts me into a cold sweat.

  11. Re:Tiny non-problem discovered by Ralph+Wiggam · · Score: 2

    I own a Leaf in the desert southwest. Being able to turn on the AC from your phone is fantastic. The difference between getting into an 80 degree car and a 120 degree car is pretty huge.

  12. AT&T 2G Sunset by certsoft · · Score: 2

    Nissan Leafs use AT&T 2G modems to connect to the server, so do Ford's Focus Electric and Energi PHEVs. AT&T 2G dies at the end of 2016 so I guess the problem will solve itself eventually.

  13. Troy Hunt by mjwx · · Score: 2

    Some of Nissan's Leaf cars can be easily hacked, allowing their heating and air-conditioning systems to be hijacked, according to [Troy Hunt,] a prominent security researcher

    It was actually Troy's brother, Mike who discovered the vulnerability.

    --
    Calling someone a "hater" only means you can not rationally rebut their argument.
  14. Re:Tiny non-problem discovered by goose-incarnated · · Score: 2

    That's the big advantage of an electric car, no range anxiety, unlike with a petrol car.

    No one gets range anxiety when they can fill up anywhere on their route in less than five minutes.

    (Is this one of those things where you think that if enough people repeat it enough it will become true? Those approaches hardly ever work).

    --
    I'm a minority race. Save your vitriol for white people.