Skip to main content
banner image
venafi logo

Machine to Machine Communication in Early EVs was Appalling: Troy Hunt at Summit

Machine to Machine Communication in Early EVs was Appalling: Troy Hunt at Summit

October 12, 2022 | Brooke Crothers

At the Venafi Machine Identity Management Summit 2022, Troy Hunt showed that machine identity in some early electric cars was appallingly bad.

Machine identity is essential for security. Find out how Venafi can help.

Troy Hunt, who created the massively popular website Have I Been Pwned?, discussed how dicey machine to machine communication can be on widely-used consumer devices.

“The whole concept of machine identity and how we can trust devices in an application...touches close to home for me,” Hunt said speaking at the Summit on Wednesday.

“I’ve had experiences…where we didn’t have that trust and that machine identity.”

He related a couple of first-hand experiences where things have gone radically wrong.

While data breaches he sees are typically due to flaws in application logic, the two examples he expounded on exposed serious flaws in the way mobile devices communicate with APIs.

That electric car maker did what?

In 2016 Hunt was running a workshop for developers in Oslo. He did these workshops because companies would often say, 'We want to get you here because we don’t want to end up on your website.'

“Which makes it feel like a protection racket but it’s not,” he added.

“Then one of the guys at the workshop said, ‘I wonder how the app from my Nissan Leaf is actually talking to my car?’”  

(When the first wave of EVs hit the market back in 2012-2013, the Nissan Leaf was an early leader, along with the Tesla Model S and the Chevy Volt.)

Hunt wondered what the app did exactly – again this was back in the day when car apps weren’t as popular as they are today.  The car came with an app (common today) that allowed you to look at things like battery status – critical for EVs. The app also allowed the owner to control functions remotely.

“And [the guy] said, ‘I can control the heater in my car remotely.’ It turns out that it’s so cold in Norway that they need to heat the car up before they get in,” Hunt said.

But the guy wanted to know how his mobile device knew which car to talk to. He thought there must be a key or secret of some kind involved.

“He found the secret key was printed on the window. It was literally the VIN number!” Hunt said.

“There are multiple problems with this,” Hunt said. “One of the them being that the VIN is displayed on the [windshield].”

“If I can get the VIN number from the [windshield], I can control the car,” Hunt said. Another problem is VIN numbers are easy to guess. If you keep rotating numbers, you’ll eventually get a response back that indicates it’s your car and, if you're a bad actor, somebody else's car. 

“I reached out to Nissan. They were very interested [but only] for a while.”

The challenge becomes, how do you help an organization realize they have a problem and then fix the problem, Hunt said.

Ultimately, Hunt – who lives in Australia -- was able to turn on the heater on a friend’s Leaf located in the UK.

“I made stuff happen in the car on the other side of the world just by having the VIN number.”

“As soon as I wrote about it a month later, Nissan turned the service off.”

He also discussed an experience he had with a watch for children that allowed parents to track their kids remotely. That device was similarly vulnerable and turned out to be fairly easy for somebody to access the watch’s data and find out where the child was.

“Think about the chain of communication. The problem is lack of machine identity,” Hunt said.

Related Posts
Like this blog? We think you will love this.
Featured Blog

Introducing the Control Plane for Machine Identity Management

Software is rapidly eating the world Every aspect of human life is influenced and chang

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more