Nissan disables Leaf car app after security scare
ADVERTISEMENT
Nissan has pulled its NissanConnect EV app after it was found the software could be hacked to remotely control in-car systems.
The company confirmed the flaw and said it would release an updated version “soon”.
READ NEXT
The Internet of Things is a data farm, Roomba won’t be its only profiteer
Troy Hunt, who has detailed his findings on his blog, along with fellow security researcher Scott Helme found they were able to remotely turn on the car’s heated seating, heated steering wheel, fans and air conditioning. Hunt discovered the vulnerability during a software workshop he was attending.
He was able to connect to a Leaf model via the internet before he was able to “control features independently”. Responding to the discovery of the flaw, Nissan confirmed that no other “critical driving elements” of its vehicles were compromised. “The only functions that are affected are those managed via the mobile phone,” a spokesperson for the company said.
Albeit the hack was only successful on a non-moving car, the hacker would still be able to see the proprietor’s username — which could potentially expose their identity. “Whilst it’s not specifically personally identifiable information such as the individual’s address, it may not take too much effort to pack that gap,” Hunt wrote.
The hack works, according to Hunt, because Nissan’s Connect app, which permits users to control their car, has poor security — in fact, you only need a car’s vehicle identification number in order to build up access to the car. This number is often visible in the window of a car.
And because these numbers only differ in the last five digits, it’s possible for hackers to use implements to test every possible configuration — permitting potential access to any car. “We didn’t need to test all 20,000 possible VINs within that range,” Hunt wrote. “We just had to issue requests until we found one that returned the battery status of another vehicle.”
ADVERTISEMENT
It’s not the very first vehicle to fall brief of security standards. Last year, WIRED US reported on a “summer of epic car hacks” in which cars doors were unlocked, windscreen wipers turned on and off. One car, a Jeep, was “paralysed” on the motorway with a driver inwards. Worry not, however — solutions are already being designed. Boris Danev, a Swiss computer scientist, has developed a chip for car keys. The puny chunk of silicon can fit inwards a key and blocks hacking signals from outside of the car.
The hack no longer worked after Helme disconnected his car from the app, but Hunt warns that users who do have a connected app are at risk. “Anyone could potentially enumerate vehicle identification numbers and control the physical function of any vehicles that responded,” he wrote. “That’s a very serious issue.” Hunt told WIRED that disabling the app wouldn’t “influence vehicles or customers in any signifiant way”. “It’ll merely mean they can’t remotely operate climate control features,” he added.