Sign Me Up For
The Free Assessment

 

Nissan Takes Down Exploitable NissanConnect Service

Just a few days after the Nissan’s NissanConnect app was revealed to the public, it did not take long for its leaf cars to be hacked. This allows a air conditioning and heater control to eat up battery life and grab trip logs showing where you have been. Nissan immediately removed the functionality from its app. The said app is still available for download on the iOS or Google Play stores, you just wont be able to do much until they do a patch work on it.

Formerly called CarWings and and is used for Nissan LEAF is not unavailable. An independent IT consultant and internal Nissan investigation found that the dedicated server for the app had the flaw that enabled the temperature control and other telematics functions to be accessible via a non secure route as reported by the Verge.

“We apologize for the disappointment caused to our Nissan LEAF customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount. We’re looking forward to launching updated versions of our apps very soon,” Nissan concludes.

According to Troy Hunt, who originally found the exploits, he initially contacted Nissan in late January about the issue. He then contacted Nissan a number of additional times over the next month to explain the exploit in greater detail and ask about what Nissan’s plan was to fix it. He even gave Nissan what we’d consider a fair amount of warning before he went public with his findings.

“All in all, I sent ten emails (there was some to-and-fro) and had one phone call. This morning I did hear back with a request to wait ‘a few weeks’ before publishing, but given the extensive online discussions in public forums and the more than one-month lead time there’d already been, I advised I’d be publishing later that night and have not heard back since. I also invited Nissan to make any comments they’d like to include in this post when I contacted them on 20 Feb or provide any feedback on why they might not consider this a risk. However, there was nothing to that effect when I heard back from them earlier today, but I’ll gladly add an update later on if they’d like to contribute,” Hunt wrote on Wednesday.

“I do want to make it clear though that especially in the earlier discussions, Nissan handled this really well. It was easy to get in touch with the right people quickly and they made the time to talk and understand the issue. They were receptive and whilst I obviously would have liked to see this rectified quickly, compared to most ethical disclosure experiences security researches have, Nissan was exemplary.”

As SlashGear notes, you can still apparently control your Leaf remotely via Nissan’s Web portal. And, if you’re a bit craftier, you can also access the Leaf API via a fairly insecure HTTP GET exploit found in Nissan’s Canadian site.

This article originally appeared on PCMag.com.

Source: http://asia.pcmag.com/cars-products/10668/news/nissan-takes-down-exploitable-nissanconnect-servic

Written by

No Comments Yet.

Leave a Reply

Message

[contact-form-7 id="5555" title="Mobile Form"]