Car Nissan Leaf could be controlled via the Internet, knowing his VIN

If you can drive your car over the Internet, then there is a possibility that someone else can do it. At least, if firms like Nissan admit such gross miscalculations in security systems.

The VIN (Vehicle identification number) and the web address for accessing the Nissan server are all you need to know about the Nissan Leaf to get remote access to the climate control system in the cabin, as well as state information car and stats. Well, that is not to the steering.

That was until Wednesday night, when Nissan finally turned off the API for the mobile companion application . This happened a month after a well-known security specialist Troy Hunt sent a bug report to Nissan. He honestly waited so long before he announced the information to the general public.
')
Troy writes that by that time outsiders had already begun to exploit the vulnerability, judging by the messages on the forums.

The application uses the GET method to request information from the server, which allows you to send requests directly through the browser.

GET https://[redacted].com/orchestration_1111/gdc/BatteryStatusRecordsRequest.php?RegionCode=NE&lg=no-NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/Paris&TimeFrom=2014-09-27T09:15:21 

From the server comes such a JSON response with data about the vehicle systems and statistics.



Another request.

 GET https://[redacted].com/orchestration_1111/gdc/RemoteACRecordsRequest.php?RegionCode=NE&lg=no-NO&DCMID=&VIN=SJNFAAZE0U60XXXXX 

Returns a response with climate status information.



On the screen of the mobile application, there is such a picture with the on / off climate control button.



Another GET request can “push” the ON / OFF button.

 GET https://[redacted].com/orchestration_1111/gdc/ACRemoteRequest.php?RegionCode=NE&lg=no-NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/Paris 

Additionally, some personal information about the owner is sent.



Troy Hunt emphasizes that this is not even a miscalculation in the security system, but in general its complete absence. There was no authorization at all between the mobile application for managing the car and the server: branded APIs work completely anonymously, without authorization tokens.

The situation is aggravated by the fact that VIN codes in all Nissan Leaf vehicles differ only in the last five characters, so GET requests can be sent by enumerating codes, for example, from the Burp program.



Troy Hunt himself is the owner of Nissan Leaf, so he expressed the hope that the company would still fix this bug and resume the operation of the remote monitoring service of the car from a mobile application.