Nissan LEAF cloud security fail leaves drivers exposed

The Nissan LEAF is a popular all-electric vehicle, and by “all-electric,” we mean that you have to charge it up from a power supply, and it can’t run on an alternative fuel if the battery goes flat.

However, electric-only cars have a much smaller range than similarly-sized petrol or diesel cars, and there are far fewer charging stations around than traditional fossil-fuel service stations.

In other words, issues such as how far you’ve driven since your last charge, how much charge is left, how efficiently you’ve been driving, and what route you should take for efficiency, are all well worth worrying about.

So you won’t be surprised to hear, “There’s an app for that!”

As you might expect, the app relies on a cloud-based service that collects data from your car, and then shares it with the app when you go online, and vice versa, to relay data and instructions between the app and your car.

The app doesn’t connect directly to your car over the internet and interact with it that way; instead, the app and the car both communicate with the cloud service, which acts as a broker between the two.

This means that the features of the app, such as monitoring your recent driving, don’t rely on both the app and the car being online at the same time. (Most Internet of Things services work this way.)

LEAF online

The LEAF’s online service is known as CARWINGS, although the app component is in the process of being rebranded as NissanConnect EV.

According to Nissan, the app allows you a range of functions, including the ability to:

1. Check your current charge level.
2. Start charging.
3. Check when your charging will complete.
4. Turn your climate control on or off.
5. Schedule your climate control to turn on automatically.
6. Check your estimated driving range.

Basic driving history, including times and distance travelled, is also uploaded by your car and can be retrieved via the app.

This information isn’t as critical as, say, your address, passport number or birthday, but there doesn’t seem much doubt that retrieving even your most basic driving history should be none of anyone else’s business.

Likewise, actually sending commands to your car, even if it’s only to regulate the operation of the aircon rather than to unlock the doors or to turn off the motor, ought to be protected by some kind of login security, such as a password.

The problem is, as numerous researchers around the world have discovered independently, the LEAF’s app doesn’t have any authentication, so anyone can interrogate the cloud service and read data from, or send commands to, your car.

There’s a username of sorts, which you need to know and to include in every web request that you make to the CARWINGS servers.

Sadly, it’s your vehicle’s VIN. (Vehicle Identification Number.)

That’s the tamper-proof ID that’s printed on and stamped into your car’s bodywork in numerous places, including on the front dashboard where you can read it through the windscreen.

In many countries, it’s printed on the registration sticker, too, just to make it easier to find, and even included in a handy 2D bar code so it can easily be scanned from outside the car.

That’s all you need to “authenticate.”

Using a VIN as if it were an authentication secret is as inappropriate as using a phone’s or a laptop’s MAC address (the network card ID number) for that purpose: neither of these identifiers is meant to be secret, merely to be unique.

What to do?

• If you are a web developer, don’t develop unauthenticated cloud apps that handle personal data or manage devices.
• If you are looking for an authentication secret to share between your service and a user, remember that an official number assigned by a third party can’t be considered a secret.
• If you are a LEAF owner, consider opting out of the CARWINGS service until Nissan issues a patch, so your car won’t upload data that other people could retreive.