Hackers can control features in Nissan’s Leaf electric cars over the internet, enabling them to remotely enable the air conditioning and heating, or pull information from the car including driving history, replete with GPS co-ordinates.
The car can be hacked by exploiting a weakness in the way it communicates with its companion app, NissanConnect EV. The app itself can be used to control the in-car climate and check driving range, but only for the owner’s car.
However, the security researcher Troy Hunt reports that the app’s communication with the car is entirely unauthenticated, allowing anyone to send the same commands and requests for information over the web. Worse, the only way the app specifies which car to connect to is with the vehicle identification number (Vin), which is unique to each car. But the Vin for Leaf cars only changes in the last five digits, and is frequently visibly displayed through the windscreen of cars.
The damage potential is low compared with other recent vehicle hacks, particularly the vulnerable Jeeps first reported in September 2015, which could be remotely steered and accelerated by an attacker. But it still allows an attacker to run the battery of a car flat, by leaving the central heating on for hours on end, and greatly compromises the privacy of the user.
Hunt said: “Nissan need to fix this. It’s a different class of vulnerability to the Charlie Miller and Chris Valasek Jeep hacking shenanigans of last year, but in both good and bad ways. Good in that it doesn’t impact the driving controls of the vehicle, yet bad in that the ease of gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial.
“As car manufacturers rush towards joining in on the ‘internet of things’ craze, security cannot be an afterthought nor something we’re told they take seriously after realising that they didn’t take it seriously enough in the first place. Imagine getting it as wrong as Nissan has for something like Volvo’s ‘digital key’ initiative where you unlock your car with your phone.”
Hunt initially disclosed the vulnerability to Nissan in late January, and received an acknowledgement that the company was “making progress toward a solution”. But two other separate groups of Leaf owners had also discovered the vulnerability independently, prompting Hunt to publicly disclose the flaw.
The Guardian asked Nissan for comment, but received no reply.