Speak EV - Electric Car Forums banner

1 - 20 of 23 Posts

·
Registered
Joined
·
139 Posts
Discussion Starter #1
sorry, not a title anyone wants to see, and now I've got "a server error occurred"... I'll try a post & carry on if it works - I'm being serious about this title btw...
 

·
Registered
Joined
·
139 Posts
Discussion Starter #2
OK I'm up, here's what's given me a fright, this article is FOUR years old but it's the most specific to my concern:
Wi-Fi security flaw for smartphones puts your credit cards at risk
There's other articles you can find from there.

For the last week I've been fighting a nebulous fault on my Apple/Mac devices - don't turn off PC & Android users, this is about mobile phones. My first problem turned up when I couldn't log in to my over-riding Apple account (key to the meaning of life and everything) and my ipad crashed permanently. It was late at night but that got me up to try my desktop. Hours of password chasing, proving ownership, mother's maiden name and fave song of last parrot but one, and I've got all access back, including my apple provided email. Next morning, gone again. BTW I have different passwords for everything, I'm not entirely dumb as used macs for 20 years no problems, but no techie. Over the next few days I successively fought to reclaim and cover with additional verification numbers: google, dropbox, linkedIn...and also seemed to discover rogue mobiles recorded at local sites among the 'recent devices' record but chasing IPs is difficult so couldnt be sure. Took my ipad to the local applestore for a reboot, they said impossible to hack my apple pass except just possibly via google.

But it's still happening, well they can't get past the verification numbers so my main passwords now appear safe, and incidentally therefore I shouldnt be infecting this site (!). BUT I was idly looking up what the scallies could be doing.... And found the above article. Still didn't mean a lot: triangulated wi-fi, mobile phones picked up out and about by passing wi-fi hotspots - but I only use wi-fi on my iphone at home, otherwise its messaging.

BAM! - seen a light - every time I get into my beloved Leaf I plug it into the mobile to record - well, driving economy, all that fun stuff. AND I had downloaded the Connect EV app just before it was withdrawn/ disconnected with suspected hacking vulnerability. It came back on just over a week ago........

Anyone else got a problem? Anyone know about this stuff? Out of the millions of people out there I'm hardly a likely target, yet something has made me unusually vulnerable. Think I'll go back to the Apple shop for some serious discussion, but also think there could still be a problem with Nissan Connect?
 

·
Registered
Joined
·
486 Posts
I'm having a hard time following what you are saying Fran.
Are you saying that you lost all of your Apple passwords because you plugged it into your Leaf? The Connect EV app has been updated and had nothing to do with passwords or credit cards or any such vulnerability - it was simply that someone could guess your VIN number of the Leaf and start your air conditioning/heater and run the battery flat - nothing more sinister than that.

Once Apple passwords get out of sync then it's a nightmare and needs a Genius Bar to assist (unless you want to do a complete factory reset) - but it has nothing whatsoever to do with the Leaf or Nissan app :)
 

·
Registered
Joined
·
3,837 Posts
sorry, not a title anyone wants to see, and now I've got "a server error occurred"... I'll try a post & carry on if it works - I'm being serious about this title btw...
I often get a server error message from speakev at around the same time, being a trusting type I just waited until the server had done its daily 'housekeeping' and was back on line.
 

·
Registered
Joined
·
139 Posts
Discussion Starter #5
Hi pleased to find someone that may be is a networks techie. Did you read the attachment? OK, I didnt believe it myself, except I have a hacking problem but have always been very security aware and on Macs only which have always been solid on security. This is something new via mobile phones, which is the problem I seem to have. The Only time I am connected to any sort of public wi-fi is via the Leaf.

No of course I'm not saying the Leaf is giving direct access to my personal info. However if this attached article is correct it explains how someone managed to pirate my passwords and repeatedly lock me out until I managed to get my ownership proven and verification codes set up. The first alert I had was email confirmation that my Apple password had been changed, it had, so had the name it was under. The same thing went successively through google and other wi-fi interconnecting sites, I was incredulous too. My email addresses for those sites went down until I retrieved ownership. Unknown iphones appeared on the 'your devices recently active' check. My credit cards are safe (so far) as although this post may sound it, I am not a fool. The Apple Store could help with Apple but not with the others of course, or with the wi-fi network & its servers. Sorry if this is long-winded but I need some serious discussion, my first post may have sounded a bit flippant.

I really want to know what security there is on the carwings/NissanConnect network, which of course you link to via a mobile while driving. The vulnerablity is apparently about triangulating mobile locations to steal identities via public wi-fi, not I agree the reason Nissan Connect was closed down, but it made me think of an answer to 'why me'. My hacker is apparently local, my Leaf parks at my address, that can be found if you look up charging points, that gives the name on the electoral register, the name my Apple account was so curiously changed to.

Sorry this is long-winded and maybe sounds crazy... I have been fire-fighting this for a whole week.
 

·
Registered
Joined
·
139 Posts
Discussion Starter #6
I often get a server error message from speakev at around the same time, being a trusting type I just waited until the server had done its daily 'housekeeping' and was back on line.
Yup, the 'server error' here did go away fine, I just had to wait a bit, and check all secure. Maybe you understand if I was a bit jumpy, don't want to pass on any problems!
 

·
Registered
Joined
·
42 Posts
The article is both alarmist and a bit silly.

Anything that connects to a public wifi point (or a private one, in fact) that sends passwords plaintext is stupid.

David
 

·
Registered
Joined
·
1,371 Posts
A few years ago a lot of sites failed that.. facebook for example. It's all https these days though, so as long as you don't ignore certificate errors you're fairly safe.
 

·
Registered
Joined
·
1,903 Posts
It's important to note that the hacking was all about accessing someone else's driving information held by Nissan.
At no stage were any passwords leaked as the issue was that didn't use any!
It also never provided any way into hacking your phone.
The issue was the other direction.

The communications from the car to Nissan use the phone network.
Your phone never talks directly to the car for driving records/control/battery status as it via the Nissan servers.
Bluetooth is used for music/handfree while the car is on but that's different.
The LEAF does not have Wi-Fi.

Public Wi-Fi hotspots aren't secure.
The only reliable security when using those is that provided by the applications themselves.
This ranges from excellent to non-existent.
The paranoid use a VPN Virtual private network - Wikipedia, the free encyclopedia
The simplest solution is not to use them.
Just make sure to delete all the Wi-FI networks you've said "yes" to in the past.
Then just use a decent 3/4G data connection.
Your home Wi-Fi will be fine as long as you are using WPA:
Wi-Fi Protected Access - Wikipedia, the free encyclopedia
(turn off the WPS PIN feature though)
 

·
Registered
Joined
·
631 Posts
As metalhead has stated you do not connect to your car with anything other than Bluetooth as a hands free system. While you can use Bluetooth for more advanced stuff the leaf does not.
Phones are designed these days to assume that the connection is insecure and should encrypt all sensitive data. While apple products used to be more resilient to hacking, that's not really the case any more and as hacks are getting more complex the best you can do is try and be vigilant with sites you visit, and software you run, and use some reputable security software. You can never escape from someone using an exploit that had not yet been detected and patched.
But if turn your attention away from your car, and most likely towards your laptop/pc
 

·
Registered
Joined
·
955 Posts
this affects everything that can connect via WiFi, the only real way to avoid it is to turn off WiFi, the only advice i would give is to never log into anything that contains sensitive information over a public WiFi network, or connect blindly to networks. However even using your home router is generally a security issue, unless your lucky enough to have one that has regular firmware updates!

as for your issue, you might just been unlucky with your usernames, I'm afraid I'm guilty of royally annoying some poor bugger as I mistypes a login once and now it remembers it with my password and annoyingly despite my best efforts it always remembers the wrong username!

unless you are very wealthy or have some interesting secrets I wouldn't worry too much, and if your only logging into forums at public places chances are nothing useful will get stolen, but personally im weary of doing any banking or using accounts tied to payment details over public WiFi, the s in the URL means it's secure to someone but not necessarily who you think it is.


one of the best/worst things with modern tech is sharing WiFi access, some phones will do this automatically, which is great for WiFi access, but if you have a million friends on Facebook and just one of those has accessed a dodgy WiFi network and it's setup to share, chances are if you ever find that network you'll be automatically connected without knowing.

still I'm not one for foil hats, I just accept the convince of instant everything has huge potential to go tits up for me
 

·
Registered
Joined
·
139 Posts
Discussion Starter #12
Yes, I'm sorry if I'm being 'alarmist' & 'silly'. Great.
Just thought I'd raise an issue even though I can't be sure of the cause myself, seemed potentially important.
My iphone connects via bluetooth and hence to the Nissan phone network, it thus exchanges Nissan info re car performance, to and fro. Who cares about the car data, what access may the data flow itself possibly provide? This is the only data network in use outside my BT service.

Anyway, no-one has added much so I'll not pursue further, but just to show I'm not an entire fantasist: here's a
typical communication from Google over the last week. (Nissan Connect Is the only new comms item, and yes I've long used Gmail, and yes someone had already achieved access to change the password on my Gmail account, among others, which meant if successful they could use my identity for purchases etc)

"Hi Xxxx, ( my x's)
Someone just tried to sign in to your Google Account [email protected] from an app that doesn't meet modern security standards.
Details:
Thursday, April 14, 2016 8:09 PM (British Summer Time) United Kingdom
We strongly recommend that you use a secure app, like Gmail, to access your account. All apps made by Google meet these security standards. Using a less secure app, on the other hand, could leave your account vulnerable.
Google stopped this sign-in attempt, but you should review your recently used devices:"
( this review showed two mobiles with IPs not in use by me).

I believe as I have now added verification codes everywhere I am now secured. I may hit "deny" on the Nissan mobile link screen for awhile though, just to be sure.
 

·
Registered
Joined
·
54 Posts
Fran,the leaf does NOT use you iPhone to send any data to Nissan the car has its own SIM card that's in a unit behind the glovebox.

The Bluetooth in the car is purely for making and receiving calls nothing more.
 

·
Moderator
Joined
·
9,719 Posts
Unless you've given the head unit credentials to read your email (a feature that isn't supported by Nissan AFAIK) I don't see how that auth notification is at all related to your car.

The more likely thing in this scenario, is you've been phished and/or had a weak password shared between multiple accounts. The weak link is almost certainly not the LEAF in this instance.

Also if somebody has generated a app specific password to your account, and you have changed the password they will retain access to you account until you revoke it, regardless of whether you reset the main password or not in most cases.
 

·
Registered
Joined
·
139 Posts
Discussion Starter #15
Fran,the leaf does NOT use you iPhone to send any data to Nissan the car has its own SIM card that's in a unit behind the glovebox.

The Bluetooth in the car is purely for making and receiving calls nothing more.
That's useful info, thankyou
 

·
Registered
Joined
·
54 Posts
after a brief search setting the question:
Security Issues in Nissan’s Mobile App, NissanConnect, Could Potentially Put Users’ Data at Risk
checking info:
"android.permission.GET_ACCOUNTS
find accounts on the device
Allows the app to get the list of accounts known by the phone. This may include any accounts created by applications you have installed."
Android has nothing to do with an iPhone.

iPhones run iOS which is a completely different operating system.

Your hack is probably come from an email that had something embedded in it not the Nissan app
 

·
Registered
Joined
·
139 Posts
Discussion Starter #18
Sigh! Will everyone please stop being so patronising.
No-one is hacking my iOS system directly into my imac or devices, please pay attention. I have effective defences in place and am careful re direct hacking/deception/scams. I was nevertheless hacked somehow, straight into passwords to communications accounts. A bluetooth connection is not confined to phone calls even if that's apparently all it is used for. I couldn't understand how I was hacked, which was why it was disturbing. I am still getting notice of attempted logs into my accounts from London but just 'deny' now as the verification codes keep them safe.

I have located a possible answer, ie via public wi-fi and mobile phones/tablets, this also seemed unlikely as I am not a frequent user of public wi-fi although there's plenty available in Brighton-Hove. Which is why I was essentially asking here whether anyone knows anything about in-car systems; above is the line of software that apparently frees up Nissan Connect from a standard security layer. My Leaf is not necessarily the source but it is the only potential vulnerability I can identify I had, and I want to know more about it.

I'd have thought this would be at least of passing interest but maybe the black box approach rules, I admit to enjoying the in-car connectivity without much thought, up until this incident. Looking more into it, it seems it isn't just Nissan, many in-car systems are under scrutiny in the US as the manufacturers are not taking responsibility for cyber security. "Oh in the US" you say no doubt, but where I live is a centre for cyber-techies.

I'll just leave you with this, From a security company I came across : "Cars of the 21st Century have essentially turned into giant smartphones traveling on the road with complex, in-built, internal IT systems. Since the car is now a networked device, a computer system, a mobile phone, it is susceptible to hacking and cyber attacks just like the rest of your digital equipment."
 

·
Registered
Joined
·
6,779 Posts
I don't see anyone being patronising, but providing useful information.

The Leaf does not have any WiFi hardware so cannot physically be providing any vulnerability on that score.

The Bluetooth hardware in the Leaf only has A2DP (for playing music), HFP (for hands free) and PBAP (for address book download - for which you have to enter your PIN and authorise the download). It does not have a networking stack for your phone to connect to the outside world, or for the car to connect to the outside world via your phone.

The Telematics Communication Unit (TCU) in the Leaf is a separate GSM module with its own SIM card that connects to the Nissan Servers. There is no route from your phone to the TCU.

However, you do have to provide username and password for the Nissan CarWings (You+Nissan, whatever) site and that is entered into the car. If you used the same password for CarWings that you use for gmail you might have managed to compromise yourself that way - but using the same password for different accounts does not sound like the sort of thing you would do. But the car itself cannot see your gmail account and has no way to access it. The App vulnerability mentioned is on Android, whereas the iOS apps are sandboxed.

Do you walk around with Wifi turned on on your phone? Or Bluetooth?

1 out of 20 iPhones/iPads can be hacked in less than a minute – what about yours? » Brainstorm Private Consulting Blog

Hack Brief: Upgrade to iOS 9 to Avoid a Bluetooth iPhone Attack

Both seem to be far easier attack vectors to me.
 

·
Registered
Joined
·
139 Posts
Discussion Starter #20
I don't see anyone being patronising, but providing useful information.

The Leaf does not have any WiFi hardware so cannot physically be providing any vulnerability on that score.

The Bluetooth hardware in the Leaf only has A2DP (for playing music), HFP (for hands free) and PBAP (for address book download - for which you have to enter your PIN and authorise the download). It does not have a networking stack for your phone to connect to the outside world, or for the car to connect to the outside world via your phone.

The Telematics Communication Unit (TCU) in the Leaf is a separate GSM module with its own SIM card that connects to the Nissan Servers. There is no route from your phone to the TCU.

However, you do have to provide username and password for the Nissan CarWings (You+Nissan, whatever) site and that is entered into the car. If you used the same password for CarWings that you use for gmail you might have managed to compromise yourself that way - but using the same password for different accounts does not sound like the sort of thing you would do. But the car itself cannot see your gmail account and has no way to access it. The App vulnerability mentioned is on Android, whereas the iOS apps are sandboxed.

Do you walk around with Wifi turned on on your phone? Or Bluetooth?

1 out of 20 iPhones/iPads can be hacked in less than a minute – what about yours? » Brainstorm Private Consulting Blog

Hack Brief: Upgrade to iOS 9 to Avoid a Bluetooth iPhone Attack

Both seem to be far easier attack vectors to me.
Thank-you, that's all helpful info.
I did not have the same password for Carwings as for gmail but admit it wasn't far off, the gmail one now changed to something completely different. Think I'd be happier though if I could change the Carwings one, do you know if this is possible? Suspect my dealer wouldn't know how to do this...I'll check the handbook.

Bluetooth is turned on in my mobile so I can use it in the Leaf (sic) it already had iOS 9.3.1, it is not jail-broken, all apps are installed via Applestore. I understood that the Android software was not in ref to my phone which agreed is not android, rather it is a bit of code within the Nissan system that enables gathering of account existence on other devices - apparently. However it's good to know there's no connection between the TCU and the phone's bluetooth. Are the remote turn ons etc by wi-fi or bluetooth? If I don't keep the bluetooth facility on I lose music & hands free...

My searching about the hack possibilities pointed to there being an issue, as I understand it, not about directly reading off phone data from the car, but being able to track the location of a specific device by triangulating wi-fi signals (TCU must be sending these?) , which then makes it vulnerable as specifically trackable...sorry this is beyond me but I can find the info again if of interest. If you use a public wi-fi you usually go out of range before going home so no continued link. But I had this curiosity: my Apple account was changed into my married name which I never use except for voting & tax, so it could only be linked (eg by voter reg) & used to get into that account if my home address was located & then name looked up, but in no other way; I park at home overnight. The hacker's devices were located in Hove (shared council) and London. Hmm local scallies.

If this is getting boring I'll understand! Thanks for your help.
 
1 - 20 of 23 Posts
Top