February 25, 2016
Troy Hunt is MVP (which, in this case, stands for Most Valuable Professional) for Developer Security at Microsoft, which makes him a trusted authority on the subject of vehicle hacking. So when Hunt uncovered a security loophole that allowed him to control a Nissan Leaf that wasn’t his own via a vulnerable API, people are going to take notice (particularly people like us who write about the automotive industry for Auto Publishers). Hunt demonstrates how alarmingly simple it is to hack a vehicle like the 2016 Nissan Leaf (pictured) in a video segment that accompanies his blog post. Hunt’s video is really quite remarkable—the analogy I would use to describe it is that Hunt is a magician who performs a seemingly impossible trick even as he explains in painstaking detail how he was able to perform it. According to Hunt, he first became aware of the Leaf loophole while attending a developer security conference in Norway (where, incidentally, the Leaf is more popular than whale meat). Hunt ran a workshop at the conference that covered how users can control API requests via a smartphone app. Hunt soon discovered that he could control any Nissan Leaf from anywhere via the connected app. From there, Hunt exposed a loophole in the Nissan Leaf API that allows hackers to retrieve user data and control vehicle functions remotely. To show how his “trick” worked, Hunt solicited the services of fellow security researcher Scott Helme, who, coincidentally enough, owns a Nissan Leaf. Despite being in Australia while Helme in England, Hunt was still able to control the heating and cooling functions in Helme’s Leaf from long distances (9,442 miles, to be exact). All Hunt needed to access Helme’s Leaf was the last five digits of the Leaf’s VIN number. With those five numbers, Hunt reveals, hackers would be able to control any Leaf via the web as if they were using the connected smartphone app. Although Hunt’s Nissan Leaf findings are alarming, revelations of vehicle hacking via connected apps and onboard vehicle tech are hardly surprising. Back in late July, Wired published a piece in which hackers were able to remote control a Jeep. On the heels of that report, Fiat Chrysler issued a pre-emptive recall of 1.4 million vehicles due to concerns that its vehicles were vulnerable to cyber attack. This prompted the NHTSA to launch its own vehicle hacking investigation into FCA’s parts supplier. If you own a vehicle that can be accessed via app, I’d encourage you to watch the video on Hunt’s blog to see how he and his colleague were able to access the Nissan Leaf. Much like a Marvel movie, it’s best to stay with the video to the end as Hunt provides a disclosure timeline for when he alerted Nissan to its security issue. At least there’s a somewhat happy postscript to the situation. After it took Nissan nearly a full month to address its hacking issue, Jalopnik relayed a mea culpa from the Japanese automaker. In a statement, Nissan says the problematic app is currently unavailable, apologizes for the inconvenience and promises to re-launch an uncompromised version of the app in the near future. Auto Publishers will be sure to keep you updated on the Nissan vehicle hacking issue as events develop.