Nissan connect hacks

Batteries wear out. If you have bought a new electric vehicle the chances are that you will be signed up to a leasing deal with the manufacturer which will take care of this replacement, but if you have an older vehicle this is likely to be an expensive moment. Fortunately there is a tempting solution. As an increasing number of electric vehicles from large manufacturers appear on our roads, a corresponding number of them have become available on the scrap market from accident damage.

It is thus not impossible to secure a fairly new lithium-ion battery pack from a modern electric car, and for a significantly lower price than you would pay for new cells. As always though, there is a snag. Such packs are designed only for the cars they came with, and have proprietary connectors and protocols with which they communicate with their host vehicle. Fitting them to another car is thus not a task for the faint hearted. It has a set of elderly lead-acid batteries and would benefit hugely from an upgrade to lithium-ion.

nissan connect hacks

He secured a battery pack from a Nissan Leaf electric car, and he set about reverse engineering its battery management system BMS. His description of the reverse engineering process is lengthy and detailed, and with its many photos and videos is well worth a read. Quite recently we even covered another truck conversion using Leaf batteriesand last year we featured a Leaf battery teardown. I remember getting a battery for the car starter battery, gas powered car from a guy who rebuilt batteries as his business, it worked real good too, so it only makes sense people will start rebuilding electric car battery packs and selling them cheaper than the OEM packs.

Sorry, but the article is just FUD. The battery packs in EVs typically outlast the car. Too many unknowns to account for, and too many distinct possibilities. And batteries do fail, often without warning and sometimes in very catastrophic ways.


Oh, and you have to eliminate the dead cells if you want the pack to be worth anything. Take Laptop Li-Ion cells, most laptops have cells in their battery.

When you have thousands of cells, you have to expect failures. Also, you need to provide some evidence for your doubts about life time. There is plenty of real world evidence from cars with hundreds of thousands of miles on them that show the batteries last at least as long as a typical petrol engine.


These are vehicles like taxis that rack up the mileage in a short time, this is a very different use case to someone who commutes 10 miles a day or only does the shopping once a week, in 10 years time with 40k miles on the clock will the battery still be ok?The administrator of your personal data will be Threatpost, Inc.

Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter. Automaker Nissan has deactivated remote access to its cars after a security researcher discovered a remote access vulnerability tied to GPS data and climate control functions.

nissan connect hacks

Automaker Nissan deactivated a remote access feature that let owners of its Leaf electric car remotely adjust climate controls and check battery status via a smartphone app. The move comes after a security researcher posted his finding regarding a simple hack that allowed anyone with the right Leaf automobile VIN number to access the climate controls and GPS logs of the targeted automobile.

Security researcher Troy Hunt reported the vulnerability on Wednesday. Hunt posted a video demonstration where he was able to remotely retrieve battery status, GPS log data and control the AC and seat warmers of a car without using the NissanConnect EV app or NissanConnect website.

Nissan spokesperson Steve Yaeger told Threatpost that it has taken the servers for the mobile app offline. Yaeger said Nissan Leaf owners can still access the remote functions via the Nissan Owner Portal website, which is not at risk. The Nissan models impacted by the vulnerability include the Leaf car and eNV electric van. Yaeger said Nissan has not had any reported incidents where Leaf or eNV vehicles were targeted by a hacker using this vulnerability.

Nissan says aboutLeafs and eNV vehicles are impacted by the vulnerability. Nissan reassured its customers, after disabling the app that gave car owners remote access to their cars, they were safe.

The only functions that are affected are those controlled via the mobile phone — all of which are still available to be used manually, as with any standard vehicle. Yaeger told Threatpost that Nissan will fix the problem via an updated app for smartphones, but declined to say when the app would be released. It was built, intentionally, without security. Over the past year automakers Chrysler, General Motors, Toyota and Ford have each reported car hacking vulnerabilities to varying degrees.

While the Nissan hack lacked the sophistication and potential harm to consumers, Thomas said, any vulnerability in a car has the potential to cause harm.

Researchers with Akamai say that 75 percent of all credential abuse attacks against the financial services industry were targeting APIs. Over 16 security flaws, including multiple backdoors and hardcoded SSH server keys, plague the software. Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics.

2018 NissanConnect System Review: Baby steps forward

Content strives to be of the highest quality, objective and non-commercial. Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

Newsletter Subscribe to our Threatpost Today newsletter Join thousands of people who receive the latest breaking cybersecurity news every day.

I agree to my personal data being stored and used to receive the newsletter. I agree to accept information and occasional commercial offers from Threatpost partners. This field is for validation purposes and should be left unchanged.

Author: Tom Spring. February 25, pm.This site uses cookies to improve your experience and deliver personalised advertising. You can opt out at any time or find out more by reading our cookie policy. In order to see this embed, you must give consent to Social Media cookies. Open my cookie preferences. Nissan has pulled its NissanConnect EV app after it was found the software could be hacked to remotely control in-car systems.

The company confirmed the flaw and said it would release an updated version "soon". Troy Hunt, who has detailed his findings on his blogalong with fellow security researcher Scott Helme found they were able to remotely turn on the car's heated seating, heated steering wheel, fans and air conditioning. Hunt discovered the vulnerability during a software workshop he was attending.

He was able to connect to a Leaf model via the internet before he was able to "control features independently". Responding to the discovery of the flaw, Nissan confirmed that no other "critical driving elements" of its vehicles were compromised. Although the hack was only successful on a non-moving car, the hacker would still be able to see the owner's username -- which could potentially reveal their identity. The hack works, according to Hunt, because Nissan's Connect app, which allows users to control their car, has poor security -- in fact, you only need a car's vehicle identification number in order to gain access to the car.

This number is often visible in the window of a car. And because these numbers only differ in the last five digits, it's possible for hackers to use tools to test every possible configuration -- allowing potential access to any car. It's not the first vehicle to fall short of security standards. One cara Jeep, was "paralysed" on the motorway with a driver inside. Worry not, though -- solutions are already being designed.

Boris Danev, a Swiss computer scientist, has developed a chip for car keys. The small piece of silicon can fit inside a key and blocks hacking signals from outside of the car. The hack no longer worked after Helme disconnected his car from the app, but Hunt warns that users who do have a connected app are at risk.

By Leon Poultney.Rotate image Save Cancel. Breaking news: See More. More Rules New Posts. First Prev.

nissan connect hacks

Even Google maps allows you to download maps for offline use. You can even select only the areas that you need. So you don't have to over load your phone with map info that you won't use. Driving with navigation without traffic is like knowing where you're going but not knowing when you will arrive.

I know you may have multiple choices regarding car navigation, especially the free ones. It does not mean OP's deal is not good. For people, like myself, who enjoys using car navigation rather than any other systems, the promotion is great! I guess if you didn't pay for it, you shouldn't get it but, it's already there ROFL I hear you can pay some hacker to unlock it for fraction of what Mazada charges for navi.

Just use google maps. Those are the major car companies that don't have single model in their lineup with carplay and android auto. The map i have now is from so lots of updates needed missing highways etc. Great for driving in the states no data roaming charges. Wow I didn't know this post would cause so much controversie. First off you can use any thing you want to navigate the world. Just by looking at the Sun I can tell you what time it is and which way is north.

I have a Nissan and never updated the map since i bought it off the lot. I took a new job later in and noticed part of the commute was missing. It didnt bother me much untill i came to find that updates were not free and actually usd plus 25usd shipping. Anyways I told myself that I would wait a few years if i ever bought the update. Well the time has come.

I will finally update my commute. So i checked the site and low and behold! Its on sale. The morale of the story is wait and it will go on sale. I checked the forums there is an activation code so you cant bootleg the sd card. Murano and maxima had it and models with 7inch and up dash screens will have it. The rogues that are going to the dealerships have them already. Just that Nissan has not really marketed it yet. It comes with carplay and android.Sponsored by:.

Across the two days of training, I cover 16 separate discrete modules ranging from SQL injection to password cracking to enumeration risks, basically all the highest priority security bits modern developers need to be thinking about.

I also cover how to inspect, intercept and control API requests between rich client apps such as those you find on a modern smart phone and the services running on the back end server. I subsequently discovered that friend and fellow security researcher Scott Helme also has a LEAF so we recorded the following video to demonstrate the problem. Following is a complete walkthrough of the discovery process, how vehicles in other countries can also be controlled and a full disclosure timeline of my discussions with Nissan.

The LEAF is an electric car which is particularly popular in countries like Norway which offer massive financial incentives to stay away from combustion engines.

nissan connect hacks

This takes a few minutes to setup and effectively what it means is that he can now observe how the mobile app talks to the online services. Jan then fires up the NissanConnect EV app :. In other words, he was accessing the API anonymously.

So Jan kept looking. But then he tried turning it on and observed this request:. This time, personal information about Jan was returned, namely his user ID which was a variation of his actual name. The VIN passed in the request also came back in the response and a result key was returned. All of these requests were made without an auth token of any kind; they were issued anonymously. Jan checked them by loading them up in Chrome as well and sure enough, the response was returned just fine.

The VIN above differed merely by the last 5 digits. We proxied Chrome through Burp then issued the battery status request again:. Our test simply kept the range constrained between known numbers for the sake of time. This gave us the ability to issue requests one after the other, each differing only by a unique VIN in the payload column.

We started Burp issuing the requests:. The subsequent responses with the randomised VINs mostly returned bytes and the response you see in the screen above.

Our suspicion that the VIN was the only identifier required was confirmed and it became clear that there was a complete lack of auth on the service. Anyone could potentially enumerate VINs and control the physical function of any vehicles that responded. I reported it to Nissan the day after we discovered this I wanted Jan to provide me with more information firstyet as of today — 32 days later — the issue remains unresolved.

It started out like this:. I read your Vtech article and though that you would be well placed to appreciate this. Im a Nissan Leaf owner and I found out that Nissan security is pretty abismal.

This came in just last weekend on 20 Feb and it went on to explain the following: I found out that the whole API is unauthenticated and only require the VIN to target a vehicle. To add insult to injury those action are from simple http Get request. Browsing through the discussion courtesy of Google translate, clearly people were not happy with the Nissan app. Create bookmarks with these 2. They go on to conclude precisely what we had earlier on: In all this, it works for me without being authenticated, which is very surprising, and not safe at all, this means that anyone can act on any vehicle, provided it knows the VIN in more is it not written down the visible windshield everyone?

Looks like the authentication uses has get the VIN in the user profile. There are always local idiosyncrasies to be considered particularly in the auto industrybut there appears to be very little reuse across Canada and Norway in terms of how the API is implemented. The person who reported the Canadian finding to me finished up by saying this: My hypothesis on this is that it was bound to surface due to the poor quality of the app, the more tech savvy "with free time" users will thinker with broken things to get them working for them.

The fail was probably discovered soon after the app change and multiple times but by people that didn't fully appreciate the greater implication or by people like me that didn't know what to do with that knowledge. His first sentence is spot on — the ease of discovery of this risk is high as is evidenced by three separate parties already finding it independently my Norwegian student, the Canadian follower and the folks in the forum.Two security researchers have demonstrated security vulnerabilities in the Nissan Leaf electric car by using mobile management APIs supplied by the car manufacturer.

The unsecured APIs allow anyone who knows the VIN of a car to access non-critical features such as climate control and battery charge management from anywhere across the Internet. Additionally, someone exploiting the unauthenticated APIs can see the car's estimated driving range. This could easily be used to build up a profile of my driving habits, considering it goes back almost 2 years, and predict when I will be away from home.

This kind of data should be collected and secured with the utmost respect for my privacy. In a blog and embedded videothe security researchers, Scott Helme and Troy Hunt, described the discovery by a third unnamed person who'd been attending a security workshop with them. Hunt, who is from Australia, then demonstrated how he was able to access Helme's NIssan Leaf -- even though he was 10, miles away in England. The security workshop attendee, Hunt wrote, went back to his hotel room the first day and proxied his iPhone via his PC, using Fiddler debugging software.

Jan then fires up the NissanConnect EV app. While Hunt said the vulnerabilities could not be exploited to create a life-threatening situation, hackers could use the NissanConnect app to do things such as run down a vehicle's battery. If your car is parked on the drive overnight or at work for 10 hours and left running, you could have very little fuel left when you get back to it You'd be stranded," Hunt wrote. In an email reply to a Computerworld inquiry, Nissan said it is aware of "a data issue relating to the NissanConnect EV app that impacts the climate control and state of charge functions.

In an interview with the BBCHunt said the right thing for Nissan to do would be to turn off the app altogether. And to be honest, a fix would not be hard to do," Hunt said. Senior Reporter Lucas Mearian covers financial services IT including blockchainhealthcare IT and enterprise mobile issues including mobility management, security, hardware and apps. Here are the latest Insider stories. More Insider Sign Out.

Sign In Register. Sign Out Sign In Register. Latest Insider. Check out the latest Insider stories here. More from the IDG Network. Nissan apologizes, shutters mobile app that left Leaf EV hackable. Meet the Premier Cool Yule Tools for Work. Cool Yule Tools for the Home. Nissan The NissanConnect app.If you decide to buy cheap Nissan GPS Updates then you will benefit from accurate directions to your next destination, which include any new roads, sub-divisions, plus updated business addresses.

The maps on this new disc have been updated and improved since the last software release. As an additional extra you will have access to millions of POI points of interest files which will let you get to useful destinations on time and safely including tourist attractions, ATMs, hospitals, shopping malls, sports stadiums and much more.

These include new roads appearing, junctions changing, new town developments being planned, and businesses changing their address. The actual Nissan Navigation Software is pre-installed onto the GPS device, meaning that all the maps and routes will become outdated as soon as a road change occurs.

Thankfully HERE, who are the company that provide map software to all the GPS manufacturers globally, release a new version of their map data annually. Please note, you will probably find plenty of websites on a Google search that offer you a hacked or torrent version of this update.

We do not recommend that you attempt to download any pirated versions of the navigation DVD. You can do that by using the links on this webpage which will take you to the official store where you can update your GPS device securely and safely. Save Save Save Save. Thanks for visiting GPS Bites. I started the website in to give advice on all matters regarding GPS and navigation.

Nissan disables Leaf car app after security scare

Prior to this I was the marketing manager for a global GPS device company. Skip to content. How to Update Nissan Navigation System Click here to go to the official Nissan Navigation Updates website and select your model and year of manufacture from the drop-down selections on the left hand side.

Consult your user manual if you are unsure.

Nissan Navigation DVD 2019 and System Updates

Insert your new map update DVD, and if prompted to do so you will be required to enter in your unique customer authentication code which can be found on the DVD packaging. All you need to do now is sit back and watch, because the install update process should be fully automated, although you might have to press a few confirmation buttons should you be prompted to do so.

Updates include all new road additions that have happened over the last 12 months, with new business address also updated, plus any changes to […]. Continue Reading. This latest update disc for the in-dashboard Honda Civic Navigation System includes every single road change and addition that has occurred over the last year since the last navigation update was released.

If you need to […].