A security researcher looking at the Nissan Leaf electric vehicle (EV), has found that some of its cars can be easily hacked through its companion app.
The Nissan Leaf was one of the first EVs to have a companion app, called NissanConnect, that would allow the car owner to monitor the car’s performance on the road, but also allows for the control of the car’s air conditioning system and home charging.
However, security researcher Troy Hunt has looked into the programming behind NissanConnect and the software within the Nissan Leaf and has discovered that the system has a major vulnerability that allows someone else to remotely control the NissanConnect systems without the owner being aware of it.
Detailing how he did it on his blog, Hunt says that the key to the issue was the app itself, which only needs the car’s vehicle identification number (VIN) to access the app, with the majority of this VIN being found on a sticker on the car’s windscreen.
The only minor challenge is that the remaining five characters will be different, but Hunt was able to script a program to whittle through all the possible combinations of these five digits, which doesn’t take particularly long.
Because the NissanConnect is also accessible from a web browser, the person trying to maliciously gain access will not even need the app to do it. Australia-based Hunt tested out these methods on the Nissan Leaf of a colleague and found he could hack the car.
Not life-threatening
Speaking with the BBC, however, Hunt has said that, while this is clearly an issue for Nissan and Nissan Leaf owners to be worried about, further testing shows that the hack does not work when the car is moving, and was not accessible once his friend de-registered the VIN from the car.
The other major question over this vulnerability has been whether it allows access to the car’s location data but, according to Hunt, only the distance travelled and similar statistics are available.
Regardless, Hunt believes that, in the wrong hands, this hack could potentially make a Leaf driver completely powerless, quite literally.
“If I was to monitor your movements over the course of the week and learn when you go to and from work, shortly after you got to your office I could run the heating for the remainder of the day,” Hunt says.
“That would potentially leave you with very little power – certainly not enough to get back home.”
Since Hunt went public with his detailed process of how he accessed the car, Nissan has since taken the NissanConnect service offline temporarily.
Nissan Leaf image via Paul Mullet/Flickr
