:fa_gamepad: :fa_car: :fa_bug: Remote control cars: Nissan Leaf edition
-
Summary: having the VIN for one of these cars allows one to make request to a public facing api to pull data from the car's computer, or (so far) fiddle with climate control stuff. No authentication required.
-
and gather extensive data from the car’s computer about recent trips, distances of those trips (recorded, oddly, in yards)
Are they SURE it wasn't meters? Yards?! WTF.
I also find it hard to believe nobody at Nissan whistle-blowed on this for like 2 years. Seriously!?
-
Goddamn idiots, an API without any kind of auth..
-
Idiot is not the right term for something like this.
We're talking about an internet-connected car that went through the entire chain of command, up to whoever made the final order to ship it, without any single person in it stopping to put any thought about security.
In any civilized world this ought to be a scandal on the level of the Volkswagen emissions thing. What will it be? A few headlines on specialized media and, if we're lucky, an update to fix it.
-
But to get the VIN you'd have to look at the car pretty close, which I don't think even John H. Nissan can do without projectile vomiting his guts everywhere.
-
Read the article again, there's a detail you missed.
(Only the final 5 digits of the VIN are unique to each Leaf. The researcher already ran a script to find valid VINs via guess-and-check.)
-
I didn't read it in the first place, but that detail wouldn't have changed anything in my joke about the car's appearance anyway.
-
Pfft. Like I'm going to get all the way to the end of a sentence with a comma.
-
Is everyone at Nissan an idiot?
-
But to get the VIN you'd have to look at the car pretty close
(Only the final 5 digits of the VIN are unique to each Leaf. The researcher already ran a script to find valid VINs via guess-and-check.)
I'm fairly certain that you have to have the VIN in the windscreen in the EU. (anti theft thing).
That does not at all have security implications /s (yes of course you could always incapacitate the car in another way)
-
Is everyone at
Nissanwho designs carsan idiot?Given that none of them seem to have ever heard of the word "security", the answer seems self-evident.
-
We're talking about an internet-connected car that went through the entire chain of command, up to whoever made the final order to ship it, without any single person in it stopping to put any thought about security.
I heard one of those cars got used in a drive-by shooting and now the FBI is trying to make Nissan build them a special tool to break the encryption. Apparently it's like nothing they've ever seen used in a commercial product before.
-
Pretty much every industry with huge corporations in it has done something stupid with computers recently.
-
The stupidity level will increase moronotonically. Mark my words.
-
To give Nissan the benefit of doubt, they were not into IT until the development of smart cars. But still
-
-
But to get the VIN you'd have to look at the car pretty close,
My state has a website where you enter the registration plate number and it will tell you the VIN.
-
-
That's fantastic and could never be abused...
-
Pretty much every industry with huge corporations in it has done something stupid with computers recently.
Right; small organizations, like OpenSSL, would never fuck up a security issue. The only possibly Benclusion! CORPORATIONS ARE TO BLAME!
(See, I can make up new words too.)
-
We're talking about an internet-connected car that went through the entire chain of command, up to whoever made the final order to ship it, without any single person in it stopping to put any thought about security.
Japan? But yeah, I kinda have a higher expectation from them; tantamount to that of Germans. But hey look how that turned out. Still I would rather use German or Japanese product over... errm ... you know.
-
Still I would rather use German or Japanese product over... errm ... you know.
Pfft. American cars have made a comback starting in the mid-90s. There's no quality difference now between my Ford and a Toyota. Of course my Ford, being a hybrid, uses an engine and transmission design Ford licensed from Toyota, BUT IGNORE THAT LITTLE DETAIL!
-
Right; small organizations, like OpenSSL, would never fuck up a security issue.
I think there's a difference in scale between "no security whatsoever" and "security with a flaw". Nissan didn't even try to be secure.
-
It's trivial to find both an API reference (with full URL) and the Nissan Leaf VIN ranges with a minute of Googling.
Wonder how quickly they fix it now.
Edit: A friend has one but I'm not enough of a bastard to adjust his heating for him...
-
@ben_lubar said:
Pretty much every industry with huge corporations in it has done something stupid with computers recently.
Right; small organizations, like OpenSSL, would never fuck up a security issue. The only possibly Benclusion! CORPORATIONS ARE TO BLAME!
(See, I can make up new words too.)
I didn't say the huge corporations were to blame. I was using that as a method of uninclusing industries like the artisanal cheese industry.
-
It may be a while if there is no widespread use of the flaw.
They'll have to figure out a new way for people to claim and lock a vin (and probably share with family etc)
-
Goddamn idiots, an API without any kind of auth.
And it isn't going to change until they start passing laws, and start sending people to jail over this.
-
-
Nissan didn't even try to be secure.
"But... but... we use https! What do you mean 'not secure'?
-
uninclusing industries like the artisanal cheese industry
And what evidence do you have that the artisanal cheese industry has done nothing stupid with computers recently?
Filed under: Stupidity With Computers For Dummies
Edit: it holds its end up reasonably well even without the computers.
https://www.youtube.com/watch?v=3IITAJ6NDlo
-
And what evidence do you have that the artisanal cheese industry has done nothing stupid with computers recently?
None, I simply don't have evidence of them having done something stupid with computers recently.
-
Is everyone at Nissan an idiot?
Well, the 370z and the GT-R have basically been the same car for about six years. In that timespan, their American competitors have gone through at least two generations.
Is everyone
atwho designs cars an idiot?FTFY
They might not be tech experts, but this thing traps 116 in the 1/4 mile from the factory, which is pretty impressive given the price point and equipment.
-
I simply don't have evidence of them having done something stupid with computers recently
We'll have none of that presumption of innocence shit in this battalion, soldier!
-
That's fantastic and could never be abused...
The VIN is public information, in that if you have the car in your presence you can easily see it, just like the number plate. The VIN is on a plaque visible through one of the bottom corners of the windscreen.
-
Pretty much every industry with huge corporations in it has done something stupid with computers recently.
I think the word you're seeking here is "people". Lessee...Pretty much every industry with people in it has done something stupid with computers recently.
Yup, much better. And I am in no way seeking to exclude the artisanal cheese industry. I'm sure that if they have a trade organisation, it has done something stupid on its web site, for example.
-
It's trivial to find both an API reference (with full URL) and the Nissan Leaf VIN ranges with a minute of Googling.
Wonder how quickly they fix it now.
They've now disabled the app.
That's the same as fixing it isn't it?
I hope they've disabled the API too, I wouldn't count on it though.
-
It's surprising that pretty much every industry out there has to follow 500 pages of regulations when building their products, except for programmers.
-
I hope they've disabled the API too
Yep, it's all giving 404s now on things that worked yesterday.
-
It's surprising that pretty much every industry out there has to follow 500 pages of regulations when building their products, except for programmers.
Shhhhhhhh! Don't give the government stupid ideas.
-
It's surprising that pretty much every industry out there has to follow 500 pages of regulations when building their products, except for programmers.
In that respect, I agree with you, at least partially. Medical, aviation and transportation are heavily regulated. But I think, as with Engineers, Programmers should have to pass SOME sort of licensing exam, and they should have to re-certify every 5 or so years. Some copy+pasta script kiddy may not get someone killed from a poorly thought out and executed medical device software problem, but they could end up costing whoever hired them their life savings because they foolishly setup a small business' payment processing insecurely, and get the owner sued out of business.
-
Some copy+pasta script kiddy may not get someone killed from a poorly thought out and executed medical device software problem, but they could end up costing whoever hired them their life savings because they foolishly setup a small business' payment processing insecurely, and get the owner sued out of business.
But there also isn't a process of certifying business owners as being competent. When will the madness end!?
-
- Life critical stuff (cars, hospital software) should definitely have to follow strict regulations and be inspected by a third party
- Consumer devices, particularly those that connect to the internet, should have to meet some basic standards, including: can't sell stuff with known security flaws (defined as devices that let 3rd parties to see or control anything about the device without your explicit permission), any found flaws have to be patched within X days (and probably have the company pay a monetary fine for each one), online services guaranteed to work for X years, no arbitrarily removing existing features, refunds for all customers if you break any of those promises. Basically if I buy something, I should have the right to it not be broken (like I already have with most other kinds of products).
- Other software? That's harder to say, mostly because aside from some obvious mistakes, it's so hard to define what constitutes good code or good programmers.
The important thing to keep in mind here is that 3rd party certifications are already possible. So if a "programmer license" was possible and useful, you'd expect most companies today to ask for them already. Are they? Well, AFAIK, not really.
-
But there also isn't a process of certifying business owners as being competent. When will the madness end!?
Um ... business license? I realize that is just a fee, but it is also a contractual obligation. They bring charges against business owners under that license when they are caught breaking the law... don't they? O_O
-
The important thing to keep in mind here is that 3rd party certifications are already possible. So if a "programmer license" was possible and useful, you'd expect most companies today to ask for them already. Are they? Well, AFAIK, not really.
Are you kidding me? I free-lanced in college before I sold-out™ and went corporate. The kind of people hiring script kiddies barely can find their own asses with a map and a guided tour. It isn't their fault (usually), it is just that the tech world is just completely out of their depth. That is why they want to hire someone to do it for them/help them with it. They are relying on the professionalism of whom they hire (sadly for them, in a lot of cases). They wouldn't know to even ask for a license. Hell, they frequently didn't know to ask to see a working demo of code they've paid for, before they paid the
criminalscript kiddie and they scampered off for the hills having left a mess behind for someone like me to clean up.:sigh:
-
Just remember, people, even PHP has a certification process. I am a certified PHP engineer.
If even PHP can get this shit kind of right, why the hell can't other industries?
-
If even PHP can get this shit kind of right
E_ILLOGICAL
Filed Under: Sorry, I had to....
500 Internal Server Error
-
I am a certified PHP engineer.
HAHAHHAHAHAHAHAHAHAHHAHAHAHAhahahHAHAAHA
Oh.
... it actually looks pretty thorough. Huh.
I do wonder who decided to subtract the 1% of the score from Types and added it to Data Access. "Damnit, Phil. You and your obsession with Data Access! Fine... I'll make it 26% of the final score, happy?!?"
-
But the guys who built the web services component for this aren't car designers. Or maybe they were, and this attack vector never occurred to them because they thought people would actually try to guess the 5 random numbers instead of scripting a generator.
-
I understand the concept, I would run down a hill after cheese too, but not so recklessly as to break my fucking leg. That must be some seriously good cheese.
-
this attack vector never occurred to them
You should never provide an API to access something that belongs to a person without authentication. Maybe there's exceptions but I can't think of any OTTOMH. A car is most certainly not one.
By and large, car makers don't seem to have realized this yet--or are just barely beginning to. Lots of IoT hardware makers clearly don't understand that either.