Hackers can remotely control Nissan Leaf’s heating and access driving history

The scary part about this vulnerability is that for someone to access the features of your Leaf, they don’t have to be anywhere near your vehicle, in fact the features can be accessed from across the world. Owner Scott Helme, who is also a cybersecurity adviser, said: “I was sat in the vehicle with everything powered off and didn’t have my key on me”. He inadvertently found he could control other Leafs, too.

The auto can be hacked by exploiting a weakness in the way it communicates with its companion app, NissanConnect EV.

It relates to an underlying problem with the car’s NissanConnect app; namely that it only requires the Vehicle Identification Number for authentication.

Troy Hunt says he reached out to Nissan and gave the company one month to fix the issue before making it public, but Nissan did not do so during that time, so Hunt went public.

Hunt advises Leaf owners to disable their Nissan CarWings account in order to be on the safe side.

The researchers were able to access the vehicle’s climate control features and obtain the user’s ID and driving history including, distance traveled, vehicle power consumption, and “GpsDateTimes”.

What started as a live demonstration with a student during a training conference has turned to scarlet-faced embarrassment for Nissan: its Leaf ‘leccy shopping carts cars come with an unsecured app for checking the charge state and operating the air-con. Obviously in a more serious hacking situation, this could allow malicious attackers to take control of various aspects of the Nissan Leaf vehicles, including running down the battery of a auto, or even worse, to access data on the car’s recent journeys, leading to using this data to strand individuals.

The APIs used by the apps are open and unauthenticated, and as a result hackers can access those same features as long as they can connect to the Internet, Hunt said in a blog post.

“No other critical driving elements of the Nissan Leaf or eNV200 are affected”. “Normally it’s only the last five digits that differ”, Hunt told the BBC.

But after first telling Nissan about the problem on 23 January, he said he felt the company should have suspended the app at an earlier point.

Although the vehicle isn’t vulnerable to being remotely controlled and doesn’t leak sensitive personally identifiable information, Helme did note that being able to turn the fans on and off could allow an attacker to run down a Leaf’s battery. Nissan has not made a comment against the allegations.

He goes on to add that automakers need to be wary before jumping in the “Internet of things craze”, if they treasure the safety of their customers.