Nissan Leaf Companion App Vulnerabilites Revealed, Led The Car Company to Disable the App
A computer security researcher managed to hack a Nissan Leaf, one of the world's best-selling electric cars in an experiment he did during a training. Troy Hunt found a flaw in the companion app and managed to control features of other people's Leaf.
In his blog post, Troy Hunt explained in detail how a Leaf car could be hacked with only the vehicle's VIN as information. VIN is the Vehicle Identification Number which identifies the chassis of someone's car. Besides the VIN, the process would just need a web browser and in internet connection.
Mr Hunt said that the security issue was not life-threatening. The NissanConnect app could be used to check and control limited features, such as checking the state of battery charge, start charging, see estimated driving range, and control the climate control system. However, the vulnerability in the app still means that hackers could cause mischief by running down people's batteries and drivers' recent drive data could be spied on.
After Mr Hunt concluded the issue, he made several attempts to get Nissan to resolve it. On January, he sent the full details of the findings to the car company. He followed up several times and stated that after 4 weeks of the first disclosure, he would make it public, which he did.
Mr Hunt still recommends that Nissan turns the app off. For car owners, he advised disabling the Nissan CarWings account. He expressed his disappointment to the BBC. "They are going to have to let customers know. And to be honest, a fix would not be hard to do. It's not that they have done authorization badly, they just haven't done it at all, which is bizarre," he said.
On the other hand, the carmaker's spokesperson said that the company was tackling the problem. "Nissan is aware of a data issue relating to the NissanConnect EV app that impacts the climate control and state of charge functions. It has effects whatsoever on the vehicle's operation or safety," she said, adding that the company's global technology and product teams are currently working on a permanent solution.
As for now, the app is already officially deactivated, as reported by USAToday. Nissan reassured car owners that they can now continue to use their cars safely without fear of hackers, controlling features from the app.
Troy Hunt's discovery of the Nissan Leaf app companion's vulnerability had led the car company to reevaluate its internet safety. The company's team are working on a permanent solution, as the app went off to eliminate potential threats.