Nissan has disabled an app that allowed owners of its electric Leaf auto to control their cars’ heating and cooling from their phones, after an Australian researcher showed he could use it to control others’ cars as well.
Advertisement
In order to gain access to the auto through the apps, a potential hacker would need to have the car’s VIN number. Vins’ initial characters refer to the car’s brand and make, as well as the country of manufacture/location of the company’s headquarters, which means they would only be the last numbers that varied between different Leafs based in the same area.
Hunt claims in the post on his website that he reached out to Nissan in January, so that the company could address the security flaw. Helme said to disable CarWings, vehicle owners must log into the service from their browser, as it reportedly can not be done through the mobile app. Once logged in, the auto owner should select “Configuration” from the menu and select the “Remove CarWings” option.
A cybersecurity expert has found that the Nissan Leaf can be hacked. The hackers don’t have to be located anywhere near the affected vehicle, although if they have a specific person’s Nissan Leaf in mind for an attack, they’ll have to know the Vehicle Identification Number, which is typically located on the front windshield.
The student immediately forwarded the glitch to his teacher, web security researcher and seminar instructor Troy Hunt, who teamed up with fellow researcher and Leaf owner Scott Helme to test the security gap on video. But what if the vehicle’s engine was tampered with by a hacker with potentially life threatening consequences?
The deficiency does not appear to have safety implications, though it could allow attackers to adjust the climate-control system, fiddle with the charging system or access private data such as driving history.
“As vehicle manufacturers rush towards joining in on the “internet of things” craze, security can not be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place”.
Nissan has told the BBC that it is aware of the issue and is working on a solution.
Those who have never signed up are not at risk.
The vulnerability was revealed by prominent security researchers.
Nissan has yet to respond.
Advertisement
“If I was to monitor your movements over the course of the week and learn when you go to and from work, shortly after you got to your office I could run the heating for the remainder of the day”, Hunt says. Hackers could have exploited the NissanConnect app’s vulnerability to cause mischief.
