Source: Occupy Corporatism
Date: 25 February 2016
Author: Susanne Posel
According to security analyst Troy Hunt, Nissan’s Leaf is an electric car that can be easily controlled using an internet connection and the car’s companion app, NissanConnectEV .
Troy became aware of this flaw because of an attendee at a workshop who owned a Leaf: “What the workshop attendee ultimately discovered was that not only could he connect to his Leaf over the Internet and control features independently of how Nissan had designed the app, he could control other people’s Leafs.”
Using this app, anyone with savvy hacker skills can gain remote control over the car’s air conditioning and heating units, syphon GPS coordinates, and sift through data collected by the car – including driving history.
Troy asserts that the Leaf’s app using unauthenticated communication which gives anyone the ability to send similar commands and requests to the car using the internet.
For protection, the Leaf changes the last 5 digits of the vehicle identification number (VIN); however this system is flawed because the change is visible through the windshield of the car.
Hunt explained: “Nissan need to fix this. As car manufacturers rush towards joining in on the ‘internet of things’ craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place. Imagine getting it as wrong as Nissan has for something like Volvo’s ‘digital key’ initiative where you unlock your car with your phone.”
In 2010, teams from the University of Washington (UW) and the University of California (UC) were able to breach the computer systems of cars using cellular phone connections, Bluetooth headsets and a CD.
Computerized cars “contain cellular connections and Bluetooth wireless technology” that could be tapped into remotely and used to take over the controls of the vehicle, listen into the conversations taking place in the cab of the car and completely compromise the safety of the vehicle.
Because computer connections to cars are virtually indistinguishable from internet-connected computers, their propensity toward vulnerabilities from outside influences are similar.
Using an On-Star navigation unit, a hacker could utilize the controls a remote technician at the GPS corporation’s on-call center because they are fully capable of controlling a vehicle in the event of an accident or call from a customer.
Rich Mogull, CEO of Securosis, a security research firm, maintains : “The more technology they add to the vehicle, the more opportunities there are for that to be abused for nefarious purposes. Anything with a computer chip in it is vulnerable, history keeps showing us.”
In 2013, Hackers Chris Valasek and Charlie Miller have demonstrated from the backseat of a Toyota Prius that all you need is a Macbook and a USB cable in order to hack into a computer-controlled car.
Valasek is the director of security intelligence for IOActive and Miller is a security engineer for Twitter.
These two security researchers showed that they can turn off the breaks, for example, even if the driver is at the helm.
Using a grant from the Defense Advanced Research Projects Agency (DARPA), Miller and Valasek have been researching computerized car vulnerabilities since 2012 and displayed their findings at DEF CON, a hacker’s conference in Las Vegas.
Miller asserted that they “had full control of braking” and that they “disengaged the brakes so if you were going slow and tried to press the brakes they wouldn’t work. We could turn the headlamps on and off, honk the horn. We had control of many aspects of the automobile.”
A hacker could gain control over more than the breaking system:
• Turn off power to the steering
• Have the onboard GPS give incorrect directions
• Change the numbers on the speedometer
• Force the car to change direction
Miller explained: “At the moment there are people who are in the know, there are nay-sayers who don’t believe it’s important, and there are others saying it’s common knowledge but right now there’s not much data out there. We would love for everyone to start having a discussion about this, and for manufacturers to listen and improve the security of cars.”