Nissan Leaf HVAC-Hack Vulnerability Disclosed (bbc.com) 116
GWBasic writes: Some of Nissan's Leaf cars can be easily hacked, allowing their heating and air-conditioning systems to be hijacked, according to [Troy Hunt,] a prominent security researcher. .... Mr Hunt said the root of the problem was that the firm's NissanConnect app needed only a car's vehicle identification number (VIN) to take control. That means that pranksters could pretty easily run down a Leaf's battery via Nissan's app just by cycling through VIN numbers, which, the article points out, typically vary only in the last few digits for same-region Leafs, and for an electric car that's a big deal -- you can't just get a quick jump and be on your way. For now, Hunt says, the only thing owners can do is disable the remote-control feature completely.
Jesus christ (Score:5, Insightful)
I've been driving for nearly 30 years and I have yet to come up with a reason why my car needs to be on the internet. Or my DVD player. Or TV. Or refrigerator. Or light bulbs. They all seem to work just fine in standalone mode.
Re: (Score:2)
Riders wish they had bumper to bumper warranty for horses. Sure the thing is 3d printed, but the design schematics are impossible to read and the quality control on the materials needed for construction can sometimes be sub-par.
As for security patches, only an idiot lets their horse's anti-virus defense go out of date.
On the topic of external combustion engines. You must be doing it wrong then. https://www.youtube.com/watch?... [youtube.com]
Re: (Score:3)
If it ain't broken don't fix it.
"Improvement" for the sake of it it's not improvement, just more bling.
Re: (Score:2)
Do you work in marketing, by any chance?
Re: (Score:1)
If it ain’t broke, it doesn’t have enough features.
Re: (Score:2)
You must be an engineer.
Re: (Score:3)
When you see weekly stories about horses getting hacked via a smartphone app with trivial security, do let us know.
If these connected cars have security as bad as this, it's pretty pathetic, if not bordering on criminally incompetent.
The problem is every idiot rushes to the market to say "ZOMG ... teh app", and what they produce is complete and utter crap.
Re: (Score:2)
They all seem to work just fine with a horse.
There are some advantages to using horses. For instance cars are only now getting autopilot, but centuries ago, if you travelled a regular route, say from the market to your farm, you could loosen the reins, and take a snooze in the back of the wagon, and depend on your horse to know the way home.
Re: (Score:2)
Re: (Score:2)
Name one legitimate use case for remote start on an electric car.
Re: (Score:2)
Keep in mind that the advantages of first-generation internal combustion engines were far less obvious, being large, expensive, noisy, under-powered, and unreliable. We tend to take the reliability of modern engines for granted and of course have the advantage of hind-sight, but even just thirty years ago, cars needed a LOT more maintenance and were FAR less reliable than today. We're witnessing a lot of teething pain with a new technology as companies get to grips with how to properly use it. Remember t
Re: (Score:2)
You don't really know exactly what will stick and what will fade into obscurity until you give it a try.
That's kind of true, but you seem to be treating it like some sort of mystical unknowable thing. It's generally pretty easy to tell the winners and losers beforehand when it comes to these kinds of things, at least as far as things that are supposed to serve a functional purpose. Using your CueCat example, did anyone other than advertisers, marketers, and the development team behind it actually think that CueCat would take off? Short of some really specialized applications (e.g. reading a printed medium wi
Re: (Score:2)
Well, I gave a pretty ridiculous example with CueCat. Yeah, it was obvious to most people right from the start that it was a lame-o gimmick. Most of the DotCom 1.0 bubble companies has almost NO idea how they were going to monetize their product or services, and so were doomed to fail almost from the start unless they became ridiculously popular (e.g. Twitter).
But not everything is so easy to predict. I distinctly remember thinking cameras on cellphones were ridiculous and gimmicky, and probably wouldn't
Re: (Score:1)
But.... but..... but.... Da Tezla is inn0v8ive bvecause it can update teh soffwarezzzz!!!11!!!!!
That makes you an ape and a republican for not finding virtue in everything EV.
Re: (Score:2)
I've been driving for nearly 30 years and I have yet to come up with a reason why my car needs to be on the internet. Or my DVD player. Or TV. Or refrigerator. Or light bulbs. They all seem to work just fine in standalone mode.
My local public utility company is pushing all of its customers to a digital thermostat. The energy savings and the perks are very nice.
When I leave for work (or go to bed) my water heater turns itself off and the thermostat gets set to a temperature closer to outside . I have them set to kick back on about an hour before I leave work. I set the temperature to be colder than usual when I go to sleep because its easier for me to fall sleep when it's cold. Around midnight, the temperature goes back up. A
Re: (Score:1)
Digital thermostats have been around for DECADES. It's reassuring to see your utility company keeping up with the times.
And as for guests being too fat and fucking lazy to turn the stat up when they walk in the door... well... can't help you there. It's the American way of life. "I need a robot to get the Cheetos because I'm a fat ass and can't get off the sofa!"
Re: (Score:2)
Re: (Score:2)
It's the American way of life. "I need a robot to get the Cheetos because I'm a fat ass and can't get off the sofa!"
The same can be said about the TV remote. Or automatic transmissions.
Re: (Score:2)
I own a Leaf. The remote control faculty is awesome. In the winter my car is nice and warm when I come out of work. Being an EV with limited range it's useful to be able to monitor charging remotely on occasion.
It should be possible to do this securely. We provide loads of services securely over the Internet. It's annoying but I remember when Windows didn't even have a firewall enabled by default, and somehow we survived and improved. No need to be a Luddite.
For now I disabled the service and rely on timers
Re: (Score:2)
I've been driving for nearly 30 years and I have yet to come up with a reason why my car needs to be on the internet. Or my DVD player. Or TV. Or refrigerator. Or light bulbs. They all seem to work just fine in standalone mode.
Well, the TV and DVD kind of make sense with the advent of streaming video services.
Everything else though... yeah... that seems pretty dumb until you realize that there were probably lots of folks who didn't see the point of wiring electricity in everyone's homes, they'd been living without electricity just fine for years, who needed that?
So yeah, internet on your light bulbs is pretty much just a novelty now, but in a few years we might get some interesting innovations out of it.
Re: (Score:2)
I preferred the pizza analogist.
Re: (Score:1)
Summary in Error (Score:1)
Let me Google that for you:
http://www.mattcastruccinissan.com/blog/how-to-jumpstart-a-nissan-leaf/
You can jump a Nissan Leaf if you want.
Re: (Score:1)
That's of course not what they meant. Many of today's EVs like the leaf are kind of weird in that almost all of their electronics - except the drive motor - still run on 12V. So the Leaf has a 12V battery. And sometimes its 12V can run down. And when that happens its' computers - including those that run the self-test on the battery pack and enable it - don't come on. So you can't drive it if the 12V system is dead. Kind of silly how it can have vast amounts of energy stored in a HV pack but not star
At this point... (Score:4, Insightful)
.
It appears that is the only way the car manufacturers will sit up and pay attention to the need for security in their vehicles.
Re: (Score:2)
Oh, I don't know.. I think civil courts could be effective to motivate them. No need to make it a crime persay, just let customer's sue.
Re: (Score:2)
Say it isn't so ... (Score:2)
You mean an app used utterly lame security and used something readily available?
Well, I'm totally shocked.
No, wait, the other one where I pretty much expect all of this crap to be broken by design.
Almost without fail, if you can control it from your smartphone, chances are good that someone else can.
No thanks.
OMG, someone just turned on my heater!!! (Score:1)
In the summer!!!
Tell my wife and kids I loved them!!
Re: (Score:2)
Your Goose is cooked man... The heat is on!
At least until the battery dies...
Cycle through VINs? (Score:2)
You mean cycle through the one single VIN stencilled into the windscreen of your mortal enemy's Nissan Leaf, right? I think even the most inept developer of all time should be able to write an algorithm that's better than O(n)...
Re: (Score:3)
Re: (Score:2)
You win. That's way funnier than mine.
Remote Start / HVAC Runtime Anyone? (Score:3)
That's a perfectly accepted use case now. The problem is the app/IoT side. Currently, it uses your keyfob to "authenticate" the request.
Re: (Score:2)
LOL, years ago, a friend decided he wanted a remote starter in his Accord.
No word of a lie, the only way the dealer could figure out how to do it was to take one of his physical keys (with some chip thingy) and wire it in under the hood somewhere, and they couldn't get him a replacement, because the chip thingy was expensive and intended to not be counterfeited.
I remember thinking, "if your dealer can't find a better way to do that, why are they a
Re: (Score:2)
I remember thinking, "if your dealer can't find a better way to do that, why are they advertising this?".
Probably because they are lame. A lot of dealers have installed a lot of non-approved crap on a lot of cars over the years, and then been responsible for maintaining it themselves, which they often do not know how to do. Anyway, some cars are meant to have remote start. A company called Fortin makes immo bypass systems, which are a lot slicker than putting the immo chip into the car like a dumbass.
Re: (Score:2)
Re: (Score:2)
This is over the Internet (car has an EDGE connection) and does not require a line of sight.
Thankfully, its a pure electric car. If it turns on its just an inconvenience. If this was on a gas car, it could kill people with carbon monoxide poisoning.
Re: (Score:1)
Re: (Score:2)
There hasn't been a single person in the EMEAASPAK world killed by carbon monoxide poisoning, and our cars don't catch fire and obliterate in 30 seconds every time we crash, nor our homes tumble down because a fire has started, you just clean it out, put a new coat of paint and move on. Perhaps it is the American way of building stuff that is wrong and everyone is in the scare? Heck, even most of the eastern seaboard uses real bricks and mortar.
Wow. So, a Japanese car manufacturer screws something up, it's discovered by an Australian security researcher, and somehow you still manage to find a way to turn it into an "Americans can't build anything for shit" rant.
Not only that, but all your examples of how American designs fail miserably are completely wrong. I can't remember when was the last time I've seen a car set on fire in a crash, but the only one I remember off the top of my head was a VW. Actually, that one technically didn't crash. It
Re: (Score:2)
How is this any different than a regular ICE car having remote start? Those have been pitched as "get the car warmed up inside and out before stepping outside!" deals for ages now.
That's a perfectly accepted use case now. The problem is the app/IoT side. Currently, it uses your keyfob to "authenticate" the request.
You raise an awesome question, and I'll answer it.
One, in the regular car example you describe, the attacker needs two things: to be able to spoof the keyfob, and physical proximity. The first hasn't always been trivial, but it's still got a lot of challenges. The second keeps the attack from scaling; you can't sit in one place at one time and simultaneously mess with tons and tons of cars. This attack is far, far easier to accomplish (you just need to know the network range in question and only have to
Re: (Score:2)
How is this any different than a regular ICE car having remote start? Those have been pitched as "get the car warmed up inside and out before stepping outside!" deals for ages now.
That's a perfectly accepted use case now. The problem is the app/IoT side. Currently, it uses your keyfob to "authenticate" the request.
This.
Also, the HVAC should not be able to access anything but the HVAC system and the physical controls should override any remote settings. But that's just crazy talk.
as a LEAF owner (Score:4, Informative)
this does not bug me, much - the Nissan EV apps's remote HVAC feature is nice for warming up the car in the morning while it is still attached to the home charger. You can heat the interior without impacting the traction battery. Little known fact: heating a LEAF that's been parked outside in freezing weather has a greater impact on the battery (driving range) than cooling the same vehicle in the summer.
Re: (Score:2)
Re: (Score:2)
I regularly use the LEAF in -25C weather and its fine. The heater does put quite a bit of drain on the battery, but the distances I do are manageable.
I also regularly use the remote HVAC feature on battery, too bad the Nissan app is a buggy UX nightmare.
Re: (Score:1)
For non-extreme cold, using just the steering wheel and seat heaters saves a LOT of range. The window defrosters are a huge range hit.
Re: (Score:1)
Well, it doesn't bug you much now, maybe because you haven't thought through the implications. However, next time you end up having to tow your LEAF because while you were parked away from home some script kiddie drained your traction battery as a prank, you may change your mind. If it happens often enough, I bet it would start bugging you to a point where you would disable the feature (at least you have that option).
Help me understand something here... (Score:2)
Re: (Score:2)
Re: (Score:2)
You might also want to pre-cool the car before you leave work even if you are not currently plugged in. It is a simple decision of how much battery capacity are you willing to sped to hop into a comfortable car.
Re: (Score:1)
The Leaf's remotely triggered climate control stops running 20 minutes after it reaches the preset target temperature (configured in the car only, not over the internet). But the evil hacker in this scenario is telling the car to restart climate control every 20 minutes, defeating that protection against simple user error. The car won't run the battery down below some limit (I don't recall exactly how low) even then, so you can't actually damage the battery by running it down to zero this way, but you can r
Re: (Score:2)
Except that the all EV's don't have onboard engines, I'm with you on this. Seems like a serious oversight to allow the AC/Heat to run for extended periods when the vehicle is not plugged in or occupied. Even your everyday laptop can tell the difference between "plugged in" and "on Battery" while monitoring battery percentages to decide what appropriate operating parameters are why can't a battery operated car? Why can it not say, "Hey, it's been 10 min and nobody is in the vehicle and I'm not plugged in,
Re: (Score:2)
My Tesla model S has a similar feature and I use it frequently in the winter to warm up my car in the parking lot before I leave the building. It means I don't have to wait for the windows to defog and the car's warm by the time I head out. I can also monitor the temperature and wait until the car is warm before heading out to it. If I do nothing then after a while it shuts itself off.
In my case there's no place to plug in at work, but that's not an issue since I have plenty of range. Tesla also has a histo
Some conveniences should be avoided for now (Score:1)
the only thing owners can do is disable the remote-control feature completely.
In other news, thieves discovered a way to break into garages using drive-by attacks (this happened in the 1980s or 1990s). The only thing owners could do was to disable the remote-control feature completely (or replace it with a different one).
Yes, there are a few environments where you need to be able to turn the heat or AC on before you get into the car. Alaska and Phoenix, Arizona, I'm looking at you. But for everyone else, the risk (upper bound on the probability of a high-cost hack is still too hig
Re: (Score:2)
And Minnesota and Wisconsin and Florida and Georgia and Texas and Maine, Illinois, etc, etc.
Re: (Score:1)
All this talk (Score:5, Funny)
All this talk about hijacking a car's HVAC system puts me into a cold sweat.
AT&T 2G Sunset (Score:3)
Troy Hunt (Score:3)
It was actually Troy's brother, Mike who discovered the vulnerability.
Re:Tiny non-problem discovered (Score:4, Insightful)
Re:Tiny non-problem discovered (Score:4, Funny)
Why would you have a remote control feature on a car enabled at ALL?
If Google is successful, it will soon also support the command "go pick up the pizza I ordered."
How? Sit in the parking lot flashing lights and honking horn until somebody notices and drops the pie in the driver's seat?
Re: Tiny non-problem discovered (Score:1)
Re: (Score:2)
Your silly is my nice convenience. Open the windows from my office on a hot sunny day. Car isn't a million degrees by the time I get out there. Forget to close my windows and it starts raining? Close them remotely, and I stay dry.
Leaf HVAC is the same thing, and is actually more important for an electric, assuming you're plugged in. You can start the heat or A/C when you're parked, still plugged in. The car gets up or down to your desired temperature while still running on the grid instead of draini
Re:Tiny non-problem discovered (Score:5, Insightful)
Because it's really convenient to be able to start the air conditioning remotely, so that the car is already cool when you get in it. This is especially important with electric cars, where the power to cool the car down initially will then be drawn from the grid, not the battery.
Re: (Score:2)
Assuming you have the thing plugged in.
Which, given that these types of cars are pretty much exclusively commuter vehicles, and many workplaces provide plugs these days is pretty likely.
Generally, they're either sat at work, or at home, usually plugged in.
That's the big advantage of an electric car, no range anxiety, unlike with a petrol car. You never have to think about filling it up with petrol, because it just gets plugged in every time you stop.
Re: (Score:2)
Wow..I have yet to see ANY charging stations anywhere in the city, much less at a parking lot where people work.
I would guess they're pretty much only prevalent out west in CA and the like and maybe in some of the North East states?
Re: (Score:3)
That's the big advantage of an electric car, no range anxiety, unlike with a petrol car.
No one gets range anxiety when they can fill up anywhere on their route in less than five minutes.
(Is this one of those things where you think that if enough people repeat it enough it will become true? Those approaches hardly ever work).
Re: (Score:2)
I've never seen a plug anywhere for electric cars to charge up. I've heard some employers out in California provide them and maybe a few other places but even there I hear complaints about not enough charging ports. Does your employer have a port for every single electric car?
Re: (Score:3)
I own a Leaf in the desert southwest. Being able to turn on the AC from your phone is fantastic. The difference between getting into an 80 degree car and a 120 degree car is pretty huge.
Re: (Score:2)
I am never moving to the southwest.
Re: (Score:2)
120F cars are not uncommon, even in not the south west. A car sat out on a 75F will be 120F inside in about an hour. On a 100F day it'll be 150F inside in the same time.
Re: (Score:3)
I have seen those and can understand its appeal. Especially if it's limited against moving the car out of park.
Picture yourself on a 20 degree day starting your car by remote and having the heat start while you sit in your warm living room enjoying your first cup of coffee.
Re: (Score:2)
The best part is really you're not turning the car on, just the heater. I can't wait until the range gets up to around 300 miles and charging stations become normal. Until then I'll just keep dreaming.
Re: (Score:2)
Why would you have a remote control feature on a car enabled at ALL?
For people who live in properly hot or cold areas, being able to heat or cool your car down to a sensible temprature before getting in is a godsend. Especially if you live in a humid area and need to demist your windows when it gets as low as 16 degrees C.
Also see this informative picture [twimg.com].
I used to drive a manual with a metal gear stick knob, I have the H-pattern permanently burned into my palm as a result.
Re: (Score:2)
Well because ......... Internet of Shit
https://twitter.com/internetof... [twitter.com]
Re: (Score:2)
Re: (Score:2)
Ah, Nissan didn't take long to put their damage-controlls online.
Thanks for sharing the company's PR perspective with us, AC. But how 'bout we actually discuss the real facts and the real effects, hmm?
Slashdot moderators... I am disappoint.