:fa_gamepad: :fa_car: :fa_bug: Remote control cars: Nissan Leaf edition



  • Summary: having the VIN for one of these cars allows one to make request to a public facing api to pull data from the car's computer, or (so far) fiddle with climate control stuff. No authentication required.



  • and gather extensive data from the car’s computer about recent trips, distances of those trips (recorded, oddly, in yards)

    Are they SURE it wasn't meters? Yards?! WTF.

    I also find it hard to believe nobody at Nissan whistle-blowed on this for like 2 years. Seriously!?



  • Goddamn idiots, an API without any kind of auth..



  • Idiot is not the right term for something like this.

    We're talking about an internet-connected car that went through the entire chain of command, up to whoever made the final order to ship it, without any single person in it stopping to put any thought about security.

    In any civilized world this ought to be a scandal on the level of the Volkswagen emissions thing. What will it be? A few headlines on specialized media and, if we're lucky, an update to fix it.



  • But to get the VIN you'd have to look at the car pretty close, which I don't think even John H. Nissan can do without projectile vomiting his guts everywhere.



  • Read the article again, there's a detail you missed.

    (Only the final 5 digits of the VIN are unique to each Leaf. The researcher already ran a script to find valid VINs via guess-and-check.)



  • I didn't read it in the first place, but that detail wouldn't have changed anything in my joke about the car's appearance anyway.



  • Pfft. Like I'm going to get all the way to the end of a sentence with a comma.



  • Is everyone at Nissan an idiot?



  • @hungrier said:

    But to get the VIN you'd have to look at the car pretty close

    @blakeyrat said:

    (Only the final 5 digits of the VIN are unique to each Leaf. The researcher already ran a script to find valid VINs via guess-and-check.)

    I'm fairly certain that you have to have the VIN in the windscreen in the EU. (anti theft thing).
    That does not at all have security implications /s (yes of course you could always incapacitate the car in another way)


  • Discourse touched me in a no-no place

    @aapis said:

    Is everyone at Nissan who designs carsan idiot?

    Given that none of them seem to have ever heard of the word "security", the answer seems self-evident.



  • @anonymous234 said:

    We're talking about an internet-connected car that went through the entire chain of command, up to whoever made the final order to ship it, without any single person in it stopping to put any thought about security.

    I heard one of those cars got used in a drive-by shooting and now the FBI is trying to make Nissan build them a special tool to break the encryption. Apparently it's like nothing they've ever seen used in a commercial product before.



  • Pretty much every industry with huge corporations in it has done something stupid with computers recently.



  • The stupidity level will increase moronotonically. Mark my words.



  • To give Nissan the benefit of doubt, they were not into IT until the development of smart cars. But still :wtf:



  • @FrostCat, post:11, topic:54803, full:false said:

    Is everyone at who designs cars an idiot?

    FTFY



  • @hungrier said:

    But to get the VIN you'd have to look at the car pretty close,

    My state has a website where you enter the registration plate number and it will tell you the VIN.


  • Discourse touched me in a no-no place

    @flabdablet said:

    moronotonically

    :laughing: I approve of that word.


  • Winner of the 2016 Presidential Election

    That's fantastic and could never be abused...

    :facepalm:



  • @ben_lubar said:

    Pretty much every industry with huge corporations in it has done something stupid with computers recently.

    Right; small organizations, like OpenSSL, would never fuck up a security issue. The only possibly Benclusion! CORPORATIONS ARE TO BLAME!

    (See, I can make up new words too.)



  • @anonymous234 said:

    We're talking about an internet-connected car that went through the entire chain of command, up to whoever made the final order to ship it, without any single person in it stopping to put any thought about security.

    Japan? But yeah, I kinda have a higher expectation from them; tantamount to that of Germans. But hey look how that turned out. Still I would rather use German or Japanese product over... errm ... you know.



  • @Ascendant said:

    Still I would rather use German or Japanese product over... errm ... you know.

    Pfft. American cars have made a comback starting in the mid-90s. There's no quality difference now between my Ford and a Toyota. Of course my Ford, being a hybrid, uses an engine and transmission design Ford licensed from Toyota, BUT IGNORE THAT LITTLE DETAIL!



  • @blakeyrat said:

    Right; small organizations, like OpenSSL, would never fuck up a security issue.

    I think there's a difference in scale between "no security whatsoever" and "security with a flaw". Nissan didn't even try to be secure.



  • It's trivial to find both an API reference (with full URL) and the Nissan Leaf VIN ranges with a minute of Googling.

    Wonder how quickly they fix it now.

    Edit: A friend has one but I'm not enough of a bastard to adjust his heating for him...



  • @blakeyrat said:

    @ben_lubar said:
    Pretty much every industry with huge corporations in it has done something stupid with computers recently.

    Right; small organizations, like OpenSSL, would never fuck up a security issue. The only possibly Benclusion! CORPORATIONS ARE TO BLAME!

    (See, I can make up new words too.)

    I didn't say the huge corporations were to blame. I was using that as a method of uninclusing industries like the artisanal cheese industry.



  • It may be a while if there is no widespread use of the flaw.
    They'll have to figure out a new way for people to claim and lock a vin (and probably share with family etc)



  • @swayde said:

    Goddamn idiots, an API without any kind of auth.

    And it isn't going to change until they start passing laws, and start sending people to jail over this.



  • @swayde said:

    claim and lock a vin

    :wtf:



  • @LB_ said:

    Nissan didn't even try to be secure.

    :older_man: "But... but... we use https! What do you mean 'not secure'?



  • @ben_lubar said:

    uninclusing industries like the artisanal cheese industry

    And what evidence do you have that the artisanal cheese industry has done nothing stupid with computers recently?

    Filed under: Stupidity With Computers For Dummies

    Edit: it holds its end up reasonably well even without the computers.
    Gloucestershire Cheese Rolling 2015 – 02:11
    — SoGlos



  • @flabdablet said:

    And what evidence do you have that the artisanal cheese industry has done nothing stupid with computers recently?

    None, I simply don't have evidence of them having done something stupid with computers recently.



  • @aapis said:

    Is everyone at Nissan an idiot?

    Well, the 370z and the GT-R have basically been the same car for about six years. In that timespan, their American competitors have gone through at least two generations.

    @LB_ said:

    Is everyone at who designs cars an idiot?

    FTFY

    They might not be tech experts, but this thing traps 116 in the 1/4 mile from the factory, which is pretty impressive given the price point and equipment.



  • @ben_lubar said:

    I simply don't have evidence of them having done something stupid with computers recently

    We'll have none of that presumption of innocence shit in this battalion, soldier!



  • @sloosecannon said:

    That's fantastic and could never be abused...

    The VIN is public information, in that if you have the car in your presence you can easily see it, just like the number plate. The VIN is on a plaque visible through one of the bottom corners of the windscreen.



  • @ben_lubar said:

    Pretty much every industry with huge corporations in it has done something stupid with computers recently.

    I think the word you're seeking here is "people". Lessee...

    Pretty much every industry with people in it has done something stupid with computers recently.

    Yup, much better. And I am in no way seeking to exclude the artisanal cheese industry. I'm sure that if they have a trade organisation, it has done something stupid on its web site, for example.


  • Discourse touched me in a no-no place

    @Cursorkeys said:

    It's trivial to find both an API reference (with full URL) and the Nissan Leaf VIN ranges with a minute of Googling.

    Wonder how quickly they fix it now.

    They've now disabled the app.

    That's the same as fixing it isn't it? :trolleybus:

    I hope they've disabled the API too, I wouldn't count on it though.



  • It's surprising that pretty much every industry out there has to follow 500 pages of regulations when building their products, except for programmers.



  • @DoctorJones said:

    I hope they've disabled the API too

    Yep, it's all giving 404s now on things that worked yesterday.


  • Discourse touched me in a no-no place

    @anonymous234 said:

    It's surprising that pretty much every industry out there has to follow 500 pages of regulations when building their products, except for programmers.

    Shhhhhhhh! Don't give the government stupid ideas.



  • @anonymous234 said:

    It's surprising that pretty much every industry out there has to follow 500 pages of regulations when building their products, except for programmers.

    In that respect, I agree with you, at least partially. Medical, aviation and transportation are heavily regulated. But I think, as with Engineers, Programmers should have to pass SOME sort of licensing exam, and they should have to re-certify every 5 or so years. Some copy+pasta script kiddy may not get someone killed from a poorly thought out and executed medical device software problem, but they could end up costing whoever hired them their life savings because they foolishly setup a small business' payment processing insecurely, and get the owner sued out of business.


  • Discourse touched me in a no-no place

    @Vaire said:

    Some copy+pasta script kiddy may not get someone killed from a poorly thought out and executed medical device software problem, but they could end up costing whoever hired them their life savings because they foolishly setup a small business' payment processing insecurely, and get the owner sued out of business.

    But there also isn't a process of certifying business owners as being competent. When will the madness end!?



    1. Life critical stuff (cars, hospital software) should definitely have to follow strict regulations and be inspected by a third party
    2. Consumer devices, particularly those that connect to the internet, should have to meet some basic standards, including: can't sell stuff with known security flaws (defined as devices that let 3rd parties to see or control anything about the device without your explicit permission), any found flaws have to be patched within X days (and probably have the company pay a monetary fine for each one), online services guaranteed to work for X years, no arbitrarily removing existing features, refunds for all customers if you break any of those promises. Basically if I buy something, I should have the right to it not be broken (like I already have with most other kinds of products).
    3. Other software? That's harder to say, mostly because aside from some obvious mistakes, it's so hard to define what constitutes good code or good programmers.

    The important thing to keep in mind here is that 3rd party certifications are already possible. So if a "programmer license" was possible and useful, you'd expect most companies today to ask for them already. Are they? Well, AFAIK, not really.



  • @dkf said:

    But there also isn't a process of certifying business owners as being competent. When will the madness end!?

    Um ... business license? I realize that is just a fee, but it is also a contractual obligation. They bring charges against business owners under that license when they are caught breaking the law... don't they? O_O



  • @anonymous234 said:

    The important thing to keep in mind here is that 3rd party certifications are already possible. So if a "programmer license" was possible and useful, you'd expect most companies today to ask for them already. Are they? Well, AFAIK, not really.

    Are you kidding me? I free-lanced in college before I sold-out™ and went corporate. The kind of people hiring script kiddies barely can find their own asses with a map and a guided tour. It isn't their fault (usually), it is just that the tech world is just completely out of their depth. That is why they want to hire someone to do it for them/help them with it. They are relying on the professionalism of whom they hire (sadly for them, in a lot of cases). They wouldn't know to even ask for a license. Hell, they frequently didn't know to ask to see a working demo of code they've paid for, before they paid the criminal script kiddie and they scampered off for the hills having left a mess behind for someone like me to clean up.:sigh:


  • SockDev

    Just remember, people, even PHP has a certification process. I am a certified PHP engineer.

    If even PHP can get this shit kind of right, why the hell can't other industries?


  • Winner of the 2016 Presidential Election

    @Arantor said:

    If even PHP can get this shit kind of right

    E_ILLOGICAL

    Filed Under: Sorry, I had to....

    500 Internal Server Error



  • @Arantor said:

    I am a certified PHP engineer.

    HAHAHHAHAHAHAHAHAHAHHAHAHAHAhahahHAHAAHA

    Oh.

    ... it actually looks pretty thorough. Huh.

    I do wonder who decided to subtract the 1% of the score from Types and added it to Data Access. "Damnit, Phil. You and your obsession with Data Access! Fine... I'll make it 26% of the final score, happy?!?"



  • But the guys who built the web services component for this aren't car designers. Or maybe they were, and this attack vector never occurred to them because they thought people would actually try to guess the 5 random numbers instead of scripting a generator.



  • I understand the concept, I would run down a hill after cheese too, but not so recklessly as to break my fucking leg. That must be some seriously good cheese.


  • Discourse touched me in a no-no place

    @aapis said:

    this attack vector never occurred to them

    You should never provide an API to access something that belongs to a person without authentication. Maybe there's exceptions but I can't think of any OTTOMH. A car is most certainly not one.

    By and large, car makers don't seem to have realized this yet--or are just barely beginning to. Lots of IoT hardware makers clearly don't understand that either.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.