At the Venafi Machine Identity Management Summit 2022, Troy Hunt showed that machine identity in some early electric cars was appallingly bad.
“The whole concept of machine identity and how we can trust devices in an application...touches close to home for me,” Hunt said speaking at the Summit on Wednesday.
“I’ve had experiences…where we didn’t have that trust and that machine identity.”
He related a couple of first-hand experiences where things have gone radically wrong.
While data breaches he sees are typically due to flaws in application logic, the two examples he expounded on exposed serious flaws in the way mobile devices communicate with APIs.
That electric car maker did what?
In 2016 Hunt was running a workshop for developers in Oslo. He did these workshops because companies would often say, 'We want to get you here because we don’t want to end up on your website.'
“Which makes it feel like a protection racket but it’s not,” he added.
“Then one of the guys at the workshop said, ‘I wonder how the app from my Nissan Leaf is actually talking to my car?’”
(When the first wave of EVs hit the market back in 2012-2013, the NissanLeaf was an early leader, along with the Tesla Model S and the Chevy Volt.)
Hunt wondered what the app did exactly – again this was back in the day when car apps weren’t as popular as they are today. The car came with an app (common today) that allowed you to look at things like battery status – critical for EVs. The app also allowed the owner to control functions remotely.
“And [the guy] said, ‘I can control the heater in my car remotely.’ It turns out that it’s so cold in Norway that they need to heat the car up before they get in,” Hunt said.
But the guy wanted to know how his mobile device knew which car to talk to. He thought there must be a key or secret of some kind involved.
“He found the secret key was printed on the window. It was literally the VIN number!” Hunt said.
“There are multiple problems with this,” Hunt said. “One of the them being that the VIN is displayed on the [windshield].”
“If I can get the VIN number from the [windshield], I can control the car,” Hunt said. Another problem is VIN numbers are easy to guess. If you keep rotating numbers, you’ll eventually get a response back that indicates it’s your car and, if you're a bad actor, somebody else's car.
“I reached out to Nissan. They were very interested [but only] for a while.”
The challenge becomes, how do you help an organization realize they have a problem and then fix the problem, Hunt said.
Ultimately, Hunt – who lives in Australia -- was able to turn on the heater on a friend’s Leaf located in the UK.
“I made stuff happen in the car on the other side of the world just by having the VIN number.”
“As soon as I wrote about it a month later, Nissan turned the service off.”
He also discussed an experience he had with a watch for children that allowed parents to track their kids remotely. That device was similarly vulnerable and turned out to be fairly easy for somebody to access the watch’s data and find out where the child was.
“Think about the chain of communication. The problem is lack of machine identity,” Hunt said.