Nissan Leaf electric cars hack vulnerability disclosed - expert comment
The BBC has reported that “some of Nissan’s Leaf cars can be easily hacked, allowing their heating and air-conditioning systems to be hijacked, according to a prominent security researcher. Troy Hunt reported that a flaw with the electric vehicle’s companion app also meant data about drivers’ recent journeys could be spied on.
Reiner Kappenberger, global product manager, HPE Security - Data Security, said: "The situation with the Nissan Leaf, and the demonstration of how easy it is to decipher the communication between the car and the back end, is yet another demonstration on how security frequently becomes an afterthought for companies not accustomed with the broader issues surrounding the Internet of Things, or IoT. We are lucky in this case that the attacks were only focused on functionality in the air-conditioning and heating system of the car and were done by a ‘white hat’ and not a criminally minded black hat hacker.
It is not uncommon that companies put their traditional security measures, normally deployed for their normal infrastructure, in place when creating an IoT solution and thus focus on areas like network and event logging and monitoring for their data centers. However with the explosion of new IoT environments, this is just another demonstration that this is not enough.
Companies developing IoT solutions focus on the feature and functionality set that they need to make the consumer experience easy and enjoyable. The developers have the best intentions and do a terrific job creating those applications. However they are typically not security experts and, therefore, implement protocols that either have limited or no security elements incorporated. Making sure that security is a first class citizen during the design and development phase of those applications is more critical in the IoT space than ever before. While today’s security best practices focus on the security of the data, with IoT we now must consider the implications to physical security of infrastructure and of people, as we see in the connected car. What if other systems in the car could be breached? What manufacturers and developers of IoT devices need to consider is that it is not only the protocol they use but also the authentication and authorization to these services. Clearly the Nissan Leaf attack shows that neither of these were present but they could be fixed easily with a software update. It also demonstrates that the communication between the mobile device and the back end was not encrypted.
Most people when using a mobile app to do their finances would not connect to their bank if they do not seen a green bar showing proper SSL protection, yet have no visibility into the fact that the mobile application that they are using does not encrypt their data at all.
However another aspect this illustrates is that people just need the VIN number of the car to control it without any protection. More security is needed in here as well. For example, the HIPAA regulation in the US clearly identifies a serial number as sensitive data, and the VIN is also a form of a serial number uniquely identifying a car. Using today’s technology this can be encrypted to minimize risks by going through a range of VIN – or just reading them off the car as the VIN must be visible on the car for law enforcement purposes and other needs. With Format Preserving Encryption those applications can be enhanced quickly to encrypt the data without changing its appearance as it still would appear as a VIN however no longer a real one.
We have seen with other attacks that this is wide spread problem that the industry has not yet been able to solve even so technologies exist that can enable application developers to build their application without the overhead and impact that they usually claim security provides."