It’s one thing your computer being hacked. But imagine if you are driving along and someone took control of your vehicle?
With more and more cars connected to the internet, the risk of car hacking when someone takes control of your car remotely, as opposed to car jacking where they take it using force, looks set to grow rapidly.
Last April BT announced the launch of BT Assure Ethical Hacking for Vehicles, a security service developed to test the exposure of connected vehicles.
“This isn’t going away, it’s just getting bigger and bigger, and we need skilled people to deal with it,” explains Carla Thomas, Head of People and Organisational Development in BT Security.
And now according to a prominent security expert Troy Hunt a flaw with the best selling electric vehicle’s Nissan’s Leaf’s electric vehicle’s companion app means data about drivers’ recent journeys could be spied on remotely.
At present the breach will only allow the heating and air-conditioning systems to be hijacked. But what if the vehicle’s engine was tampered with by a hacker with potentially life threatening consequences? It doesn’t bear thinking about.
Mr Hunt has apparently known about the breach for a little while but told the BBC he gave the firm a month to fix the issue before going public. Nissan said there was no safety threat and has still not repaired the breach.
“The right thing to do at the moment would be for Nissan to turn it off altogether,” Mr Hunt told the BBC. “They are going to have to let customers know. And to be honest, a fix would not be hard to do.
“It’s not that they have done authorisation [on the app] badly, they just haven’t done it at all, which is bizarre.”
A spokeswoman for Nissan told the BBC it was tackling the problem. “Nissan is aware of a data issue relating to the NissanConnect EV app that impacts the climate control and state of charge functions,” she said.
“It has no effect whatsoever on the vehicle’s operation or safety.”
NissanConnect app to blame
Those who have never signed up are not at risk. At the root of the problem is that the firm’s NissanConnect app needs only a car’s vehicle identification number (Vin) to take control.
The code is usually stencilled into a car’s windscreen, making it relatively easy to copy. The initial characters of a Vin refer to the brand, make of car, and country of manufacture/location of the firm’s headquarters.
So, Mr Hunt said, it would only be the final numbers that varied between different Nissan Leafs based in the same region.
“Normally it’s only the last five digits that differ,” he explained.
“There’s nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one.
Greater security needed with iOT
According to Reiner Kappenberger, global product manager, HPE Security – Data Security, the problem lies with companies not used to security issues surrounding iOT (Internet of Things).
“The situation with the Nissan Leaf, and the demonstration of how easy it is to decipher the communication between the car and the back end, is yet another demonstration on how security frequently becomes an afterthought for companies not accustomed with the broader issues surrounding the Internet of Things, or IoT.
“We are lucky in this case that the attacks were only focused on functionality in the air-conditioning and heating system of the car and were done by a ‘white hat’ and not a criminally minded black hat hacker.
“It is not uncommon that companies put their traditional security measures, normally deployed for their normal infrastructure, in place when creating an IoT solution and thus focus on areas like network and event logging and monitoring for their data centres. However with the explosion of new IoT environments, this is just another demonstration that this is not enough.”
The Nissan Leaf is the world’s best selling electric vehicle having sold around 200,000 models since launch in 2010.
The US, Japan and Europe have so far accounted for 90 percent of total LEAF sales, with the US leading the way with more than 90,000 sales, followed by Japan (50,000) and Europe (40,000).