14 DAY TRIAL // Nissan LEAF, one of the company's electric car models, uses insecure APIs to let users query and control their vehicles' features. These APIs sport no authentication settings and can be accessed by anyone with an Internet connection.
Nissan LEAF stands for "Leading Environmentally-friendly Affordable Family car" and is one of Nissan's most successful electric car models. LEAF cars come with an optional mobile app that allows its owners to verify and control a limited set of features.
Users in different countries discovered the unprotected APIs
For the past few months, users that had no connection between them started discovering that the API endpoints to which this mobile app would send commands were left unprotected by Nissan and its collaborators that were in charge of these servers.
With only the car's VIN (Vehicle Identification Number), an attacker could craft a URL that, when accessed inside a browser, would either retrieve information about the car or tell the vehicle to execute a command.
Multiple users discovered that they could see a LEAF's battery status, tell the car to start or stop charging, turn on/off the air conditioning system, and even retrieve information about previous trips.
All of these requests depended on a few settings, which could be guessed or discovered via Internet searches, even VINs, which, in theory, should be private.
Nissan did a good thing, though, by not allowing the API to start/stop the car, or to lock/unlock doors. Additionally, the API doesn't leak personally identifiable information, but merely some car settings.
Nissan is aware of the issues, no statement from the company
The first people to find these issues were users of a Canadian auto forum. The issue was then discovered by a Norwegian security researcher. He, in turn, told Troy Hunt, owner of the Have I Been Pwned? website, who was at a conference in his country.
After confirming the API's lack of any user authentication methods, Mr. Hunt contacted Nissan on January 23 to inform the company about its problem.
At the time of writing this article, the Nissan LEAF APIs are still exposed, but Mr. Hunt says that there's a Web portal where users can go and deactivate the remote management feature. This portal resides at different URLs based on the user's country of origin.
