Nissan Leaf app disabled after claims in-car system could be hacked
Nissan has disabled all functions of its “NissanConnect EV” app following claims the software could be hacked and used to control in-car systems remotely.
On Wednesday, security researcher Troy Hunt published a blog post that alleged Nissan’s Leaf electric car systems are vulnerable to hackers through the app, which allows Leaf drivers to check their car’s battery, estimated driving range and control parts of the climate control system.
According to his blog, he was able to remotely turn on the cars seat heaters, air conditioning and fans by exploiting a security flaw in the app. All he needed was the last five digits of the vehicle’s vehicle identification number (VIN).
Hunt said he was also able to access in-app details, such as the cars travel distances and times.
The Australia-based security researcher was first alerted to the flaw in January while attending a conference in Norway, but he decided to investigate the issue further after a Canadian reader reached out to him regarding his own vehicle.
“I’m a Nissan Leaf owner and I found out that Nissan security is pretty abysmal. They have an App to remote start charging, start/stop the AC/Heat, and get updated on current state of the vehicle,” read the email sent to Hunt.
“I found out that the whole [application program interface] API is unauthenticated and only requires the VIN to target a vehicle.”
Nissan has denied any safety threat related to the flaw.
That said, as Engadget pointed out, pranksters could have exploited the hack to run the heating all day to kill someone’s car battery, for example.
According to a statement from Nissan issued to the outlet, the company decided to disable the app following Hunt’s investigation.
“No other critical driving elements of the Nissan LEAF or eNV200 are affected, and our 200,000-plus LEAF and eNV200 drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle,” read the statement.
“We apologize for the disappointment caused to our Nissan LEAF and eNV200 customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.”
Nissan plans to release an updated version of the app to correct the flaw, according to Engadget.
The automaker isn’t the first to come under fire for security issues.
In 2015, BMW had to offer a software patch after hackers remotely unlocked the doors of its cars.
Last July, an article in Wired magazine detailed how two well-known hackers, Charlie Miller and Chris Valasek, took control of a Jeep Cherokee through its UConnect entertainment system. They were able to change the vehicle’s speed and control the brakes, radio, windshield wipers and other features.
Fiat Chrysler quickly released a software fix to prevent future hacking into the Jeep Cherokee and other vehicles.
“Nissan needs to fix this. It’s a different class of vulnerability to the Charlie Miller and Chris Valasek Jeep hacking shenanigans of last year, but in both good and bad ways. Good in that it doesn’t impact the driving controls of the vehicle, yet bad in that the ease of gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial,” wrote Hunt.
“As car manufacturers rush towards joining in on the “internet of things” craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place.”
© 2016 Shaw Media