Nissan Leaf Research Paper

Using PC used as a proxy server (Fiddler) between Nissan LEAF app (called NissanConnect EV) and the network, it was discovered that the app use an unprotected HTTP protocol (using GET commands) to access vehicle status. Status includes charge level, plug state and time, autonomy, HVAC activation, a timer, and passed trip information. To succeed, the request requires only a valid VIN number to identify the target vehicle, no user id, no password, no session. Activation of AC even returns a user Id which is a variation of user name (could be a privacy issue). VIN number on Nissan LEAF always have the format SJNFAAZE0U60XXXXX, where XXXXX is the car identifier, so it is easy to command AC of unknown LEAF just by sending a lot of HTTP GET requests. …show more content…
But invalid request are clearly identified with a return status indicating an error code. Trip information is stored in the car (several years’ history) and can be retrieved with an unprotected GET command: power consumption, travel distance, drive efficiency, date and time, and mileage. This can give to a remote attacker some information about the frequency, the time and the extent of user’s daily trips. The back end server is not unique but depends on the region where the car was registered: multiple API endpoints controlled by different party means that any needed correction need to apply on different servers with different API. This situation is not ideal for deploying a needed correction as well as in term of cost of this correction. It appears also that the App has the possibility to disable the Telematics unit of the LEAF. Issue was reported to Nissan on January 23th, details were exchanged by email and phone until February 20th but as some forums where aware of the problem Hunt decided to publish an article on his security blog on February 24th even if no correction has been made. On February 25th, Nissan has taken the service