Thursday, 25 February 2016

Hacking the robots that carry us around

CGMA Mecha Contest Entry(Combat Mech) by ianskie1These days, cars are computers that happen to have wheels and engines and stuff.  In fact, they're more like robots because they have all kinds of fancy sensors for perceiving the world and actuators for interacting with it. Also, it's better to think of cars as robots because riding around inside robots is awesome.

Increasingly, our cars are just another Thing in the Internet of Things.  They collect data about their movements and have an internet-accessible interface to get at it.  Sometimes, parts of a car's functionality is also exposed through an internet-accessible API.  The Nissan Leaf is one such car.

This is an interesting and cool story.  Someone hacked his own Nissan Leaf and found he could access information about his car (battery status, air conditioning status and so on) without using the official companion app.  He found that these requests were anonymous; they didn't require any kind of authentication and no session ID was used. Then he found that he could do the same to other people's Leafs.

Then he found that he could control some of the car's features, such as air conditioning and heating.  Some of - that is - other people's cars' features.

This might not sound too bad (what's the likelihood of someone turning off your aircon and what's the harm if they do?) but the data hackers could get and the things they could control are less important than the principle.

It wasn't that Nissan used bad authentication, it was that they didn't use any authentication at all. Oh, and that interactions with other people's Leafs is completely anonymous.

It works like this.  'Authentication' is done by the app using the car's VIN code.  This is fucking etched on the car's windscreen.  It's a longish number so you might think you're unlikely to be attacked unless a hacker sees your car. Which they certainly might if they think you blocked them in or stole their parking spot.  It's much worse than that, though. VINs are structured, which means that some of the large number is taken up by codes for the manufacturer, country, year, plant, production run etc. so only the last few digits (5 or 6).  Brute-forcing an attack would take a few lines of code.

According to the BBC, Nissan has said that there's no real problem and that drivers are totally safe.  There's no need for anyone to panic, but I wouldn't say it's safe.  An attacker could turn on the car's heating and aircon while the car was parked, draining the battery and leaving the driver stranded.  In addition, an attacker could get at the driver's username, which might give a clue to their identity.

As I said, it's the principle.  Security wasn't even an afterthought. It wasn't even a thought.

No comments:

Post a Comment