Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Transportation Bug Power IT

Nissan Leaf HVAC-Hack Vulnerability Disclosed (bbc.com) 116

GWBasic writes: Some of Nissan's Leaf cars can be easily hacked, allowing their heating and air-conditioning systems to be hijacked, according to [Troy Hunt,] a prominent security researcher. .... Mr Hunt said the root of the problem was that the firm's NissanConnect app needed only a car's vehicle identification number (VIN) to take control. That means that pranksters could pretty easily run down a Leaf's battery via Nissan's app just by cycling through VIN numbers, which, the article points out, typically vary only in the last few digits for same-region Leafs, and for an electric car that's a big deal -- you can't just get a quick jump and be on your way. For now, Hunt says, the only thing owners can do is disable the remote-control feature completely.
This discussion has been archived. No new comments can be posted.

Nissan Leaf HVAC-Hack Vulnerability Disclosed

Comments Filter:
  • Jesus christ (Score:5, Insightful)

    by Anonymous Coward on Wednesday February 24, 2016 @02:53PM (#51576653)

    I've been driving for nearly 30 years and I have yet to come up with a reason why my car needs to be on the internet. Or my DVD player. Or TV. Or refrigerator. Or light bulbs. They all seem to work just fine in standalone mode.

    • by Anonymous Coward

      But.... but..... but.... Da Tezla is inn0v8ive bvecause it can update teh soffwarezzzz!!!11!!!!!

      That makes you an ape and a republican for not finding virtue in everything EV.

    • I've been driving for nearly 30 years and I have yet to come up with a reason why my car needs to be on the internet. Or my DVD player. Or TV. Or refrigerator. Or light bulbs. They all seem to work just fine in standalone mode.

      My local public utility company is pushing all of its customers to a digital thermostat. The energy savings and the perks are very nice.

      When I leave for work (or go to bed) my water heater turns itself off and the thermostat gets set to a temperature closer to outside . I have them set to kick back on about an hour before I leave work. I set the temperature to be colder than usual when I go to sleep because its easier for me to fall sleep when it's cold. Around midnight, the temperature goes back up. A

      • by Anonymous Coward

        Digital thermostats have been around for DECADES. It's reassuring to see your utility company keeping up with the times.

        And as for guests being too fat and fucking lazy to turn the stat up when they walk in the door... well... can't help you there. It's the American way of life. "I need a robot to get the Cheetos because I'm a fat ass and can't get off the sofa!"

        • I'm guessing that the OP's electric company grants credits to customers for allowing the utility to adjust their fridge/thermostat/etc. during periods of high usage.
        • It's the American way of life. "I need a robot to get the Cheetos because I'm a fat ass and can't get off the sofa!"

          The same can be said about the TV remote. Or automatic transmissions.

    • by AmiMoJo ( 196126 )

      I own a Leaf. The remote control faculty is awesome. In the winter my car is nice and warm when I come out of work. Being an EV with limited range it's useful to be able to monitor charging remotely on occasion.

      It should be possible to do this securely. We provide loads of services securely over the Internet. It's annoying but I remember when Windows didn't even have a firewall enabled by default, and somehow we survived and improved. No need to be a Luddite.

      For now I disabled the service and rely on timers

    • by Syberz ( 1170343 )

      I've been driving for nearly 30 years and I have yet to come up with a reason why my car needs to be on the internet. Or my DVD player. Or TV. Or refrigerator. Or light bulbs. They all seem to work just fine in standalone mode.

      Well, the TV and DVD kind of make sense with the advent of streaming video services.

      Everything else though... yeah... that seems pretty dumb until you realize that there were probably lots of folks who didn't see the point of wiring electricity in everyone's homes, they'd been living without electricity just fine for years, who needed that?

      So yeah, internet on your light bulbs is pretty much just a novelty now, but in a few years we might get some interesting innovations out of it.

  • by Anonymous Coward

    Let me Google that for you:

    http://www.mattcastruccinissan.com/blog/how-to-jumpstart-a-nissan-leaf/

    You can jump a Nissan Leaf if you want.

    • by Rei ( 128717 )

      That's of course not what they meant. Many of today's EVs like the leaf are kind of weird in that almost all of their electronics - except the drive motor - still run on 12V. So the Leaf has a 12V battery. And sometimes its 12V can run down. And when that happens its' computers - including those that run the self-test on the battery pack and enable it - don't come on. So you can't drive it if the 12V system is dead. Kind of silly how it can have vast amounts of energy stored in a HV pack but not star

  • At this point... (Score:4, Insightful)

    by QuietLagoon ( 813062 ) on Wednesday February 24, 2016 @02:59PM (#51576693)
    ... for such an egregious lapse in security to be present in a vehicle, it should be criminal.

    .
    It appears that is the only way the car manufacturers will sit up and pay attention to the need for security in their vehicles.

    • Oh, I don't know.. I think civil courts could be effective to motivate them. No need to make it a crime persay, just let customer's sue.

  • You mean an app used utterly lame security and used something readily available?

    Well, I'm totally shocked.

    No, wait, the other one where I pretty much expect all of this crap to be broken by design.

    Almost without fail, if you can control it from your smartphone, chances are good that someone else can.

    No thanks.

  • In the summer!!!

    Tell my wife and kids I loved them!!

  • You mean cycle through the one single VIN stencilled into the windscreen of your mortal enemy's Nissan Leaf, right? I think even the most inept developer of all time should be able to write an algorithm that's better than O(n)...

    • by msauve ( 701917 )
      But it's secure! Someone told them that best practice was to implement 2 part security, something they know, and something they have. They have the car, and they know the VIN.
  • How is this any different than a regular ICE car having remote start? Those have been pitched as "get the car warmed up inside and out before stepping outside!" deals for ages now.

    That's a perfectly accepted use case now. The problem is the app/IoT side. Currently, it uses your keyfob to "authenticate" the request.
    • Currently, it uses your keyfob to "authenticate" the request.

      LOL, years ago, a friend decided he wanted a remote starter in his Accord.

      No word of a lie, the only way the dealer could figure out how to do it was to take one of his physical keys (with some chip thingy) and wire it in under the hood somewhere, and they couldn't get him a replacement, because the chip thingy was expensive and intended to not be counterfeited.

      I remember thinking, "if your dealer can't find a better way to do that, why are they a

      • I remember thinking, "if your dealer can't find a better way to do that, why are they advertising this?".

        Probably because they are lame. A lot of dealers have installed a lot of non-approved crap on a lot of cars over the years, and then been responsible for maintaining it themselves, which they often do not know how to do. Anyway, some cars are meant to have remote start. A company called Fortin makes immo bypass systems, which are a lot slicker than putting the immo chip into the car like a dumbass.

      • by Lehk228 ( 705449 )
        the chip key is supposed to go in a heavy duty lockbox that only connects it to the engine when the remote system is activated with the secure remote fob.
    • This is over the Internet (car has an EDGE connection) and does not require a line of sight.

      Thankfully, its a pure electric car. If it turns on its just an inconvenience. If this was on a gas car, it could kill people with carbon monoxide poisoning.

      • by I4ko ( 695382 )
        There hasn't been a single person in the EMEAASPAK world killed by carbon monoxide poisoning, and our cars don't catch fire and obliterate in 30 seconds every time we crash, nor our homes tumble down because a fire has started, you just clean it out, put a new coat of paint and move on. Perhaps it is the American way of building stuff that is wrong and everyone is in the scare? Heck, even most of the eastern seaboard uses real bricks and mortar.
        • There hasn't been a single person in the EMEAASPAK world killed by carbon monoxide poisoning, and our cars don't catch fire and obliterate in 30 seconds every time we crash, nor our homes tumble down because a fire has started, you just clean it out, put a new coat of paint and move on. Perhaps it is the American way of building stuff that is wrong and everyone is in the scare? Heck, even most of the eastern seaboard uses real bricks and mortar.

          Wow. So, a Japanese car manufacturer screws something up, it's discovered by an Australian security researcher, and somehow you still manage to find a way to turn it into an "Americans can't build anything for shit" rant.
          Not only that, but all your examples of how American designs fail miserably are completely wrong. I can't remember when was the last time I've seen a car set on fire in a crash, but the only one I remember off the top of my head was a VW. Actually, that one technically didn't crash. It

    • by Shoten ( 260439 )

      How is this any different than a regular ICE car having remote start? Those have been pitched as "get the car warmed up inside and out before stepping outside!" deals for ages now.

      That's a perfectly accepted use case now. The problem is the app/IoT side. Currently, it uses your keyfob to "authenticate" the request.

      You raise an awesome question, and I'll answer it.

      One, in the regular car example you describe, the attacker needs two things: to be able to spoof the keyfob, and physical proximity. The first hasn't always been trivial, but it's still got a lot of challenges. The second keeps the attack from scaling; you can't sit in one place at one time and simultaneously mess with tons and tons of cars. This attack is far, far easier to accomplish (you just need to know the network range in question and only have to

    • by mjwx ( 966435 )

      How is this any different than a regular ICE car having remote start? Those have been pitched as "get the car warmed up inside and out before stepping outside!" deals for ages now.

      That's a perfectly accepted use case now. The problem is the app/IoT side. Currently, it uses your keyfob to "authenticate" the request.

      This.

      Also, the HVAC should not be able to access anything but the HVAC system and the physical controls should override any remote settings. But that's just crazy talk.

  • as a LEAF owner (Score:4, Informative)

    by Kevoco ( 64263 ) on Wednesday February 24, 2016 @03:12PM (#51576789)

    this does not bug me, much - the Nissan EV apps's remote HVAC feature is nice for warming up the car in the morning while it is still attached to the home charger. You can heat the interior without impacting the traction battery. Little known fact: heating a LEAF that's been parked outside in freezing weather has a greater impact on the battery (driving range) than cooling the same vehicle in the summer.

    • Just out of interest, how cold does it get where you are? I've been hearing a lot about the leaf, but it can get down to -31F where I am. When smart cars first came out, a bunch of people got them but I don't see too many in the winter any more. The last one I saw, the driver had to bundle up and drive with both windows open so that the windshield didn't completely frost up.
      • I regularly use the LEAF in -25C weather and its fine. The heater does put quite a bit of drain on the battery, but the distances I do are manageable.
        I also regularly use the remote HVAC feature on battery, too bad the Nissan app is a buggy UX nightmare.

        • by Anonymous Coward

          For non-extreme cold, using just the steering wheel and seat heaters saves a LOT of range. The window defrosters are a huge range hit.

    • Well, it doesn't bug you much now, maybe because you haven't thought through the implications. However, next time you end up having to tow your LEAF because while you were parked away from home some script kiddie drained your traction battery as a prank, you may change your mind. If it happens often enough, I bet it would start bugging you to a point where you would disable the feature (at least you have that option).

  • So they've created a feature that allows you to remotely run the heater or a/c indefinitely while nobody is occupying the vehicle? Seems to me that one of the first things done when designing this would to implement a timer and/or an occupancy sensor. Preheating/cooling the interior on a cold/hot day is great, and sometimes you just want to run into a store with your dogs in the back without leaving the engine on, but both of these scenarios should be rather brief in duration. Allowing the system to dischar
    • by tlhIngan ( 30335 )

      So they've created a feature that allows you to remotely run the heater or a/c indefinitely while nobody is occupying the vehicle? Seems to me that one of the first things done when designing this would to implement a timer and/or an occupancy sensor. Preheating/cooling the interior on a cold/hot day is great, and sometimes you just want to run into a store with your dogs in the back without leaving the engine on, but both of these scenarios should be rather brief in duration. Allowing the system to dischar

      • You might also want to pre-cool the car before you leave work even if you are not currently plugged in. It is a simple decision of how much battery capacity are you willing to sped to hop into a comfortable car.

    • by Anonymous Coward

      The Leaf's remotely triggered climate control stops running 20 minutes after it reaches the preset target temperature (configured in the car only, not over the internet). But the evil hacker in this scenario is telling the car to restart climate control every 20 minutes, defeating that protection against simple user error. The car won't run the battery down below some limit (I don't recall exactly how low) even then, so you can't actually damage the battery by running it down to zero this way, but you can r

    • Except that the all EV's don't have onboard engines, I'm with you on this. Seems like a serious oversight to allow the AC/Heat to run for extended periods when the vehicle is not plugged in or occupied. Even your everyday laptop can tell the difference between "plugged in" and "on Battery" while monitoring battery percentages to decide what appropriate operating parameters are why can't a battery operated car? Why can it not say, "Hey, it's been 10 min and nobody is in the vehicle and I'm not plugged in,

    • by AaronW ( 33736 )

      My Tesla model S has a similar feature and I use it frequently in the winter to warm up my car in the parking lot before I leave the building. It means I don't have to wait for the windows to defog and the car's warm by the time I head out. I can also monitor the temperature and wait until the car is warm before heading out to it. If I do nothing then after a while it shuts itself off.

      In my case there's no place to plug in at work, but that's not an issue since I have plenty of range. Tesla also has a histo

  • the only thing owners can do is disable the remote-control feature completely.

    In other news, thieves discovered a way to break into garages using drive-by attacks (this happened in the 1980s or 1990s). The only thing owners could do was to disable the remote-control feature completely (or replace it with a different one).

    Yes, there are a few environments where you need to be able to turn the heat or AC on before you get into the car. Alaska and Phoenix, Arizona, I'm looking at you. But for everyone else, the risk (upper bound on the probability of a high-cost hack is still too hig

    • by sjames ( 1099 )

      And Minnesota and Wisconsin and Florida and Georgia and Texas and Maine, Illinois, etc, etc.

    • by I4ko ( 695382 )
      For Phoenix, Arizona you need only a quality set of driving gloves. Professions drivers and people with Bentleys still use them. Better to just class up.
  • by Marginal Coward ( 3557951 ) on Wednesday February 24, 2016 @03:59PM (#51577179)

    All this talk about hijacking a car's HVAC system puts me into a cold sweat.

  • by certsoft ( 442059 ) on Wednesday February 24, 2016 @05:56PM (#51578011) Homepage
    Nissan Leafs use AT&T 2G modems to connect to the server, so do Ford's Focus Electric and Energi PHEVs. AT&T 2G dies at the end of 2016 so I guess the problem will solve itself eventually.
  • by mjwx ( 966435 ) on Wednesday February 24, 2016 @08:03PM (#51578949)

    Some of Nissan's Leaf cars can be easily hacked, allowing their heating and air-conditioning systems to be hijacked, according to [Troy Hunt,] a prominent security researcher

    It was actually Troy's brother, Mike who discovered the vulnerability.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...