— A Nissan LEAF hack got the attention of Nissan that has now disabled the application that allowed researchers to hack the electric car from across the world.
Nissan, like other automakers, believes a consumer won't purchase a car unless that car is fully and wirelessly connected to the world, something Nissan says "is an absolute must for today’s drivers."
That's fine and good as long as the automaker can protect its own vehicles from outside wireless attacks that can take control away from the driver.
In the case of the Nissan LEAF, the situation isn't as serious as the Jeep Cherokee hack last year that sent the SUV into a ditch and caused Fiat Chrysler to recall 1.4 million Jeeps. However, the Nissan LEAF hack exposed serious problems with the security of the NissanConnect EV application, formerly known as CarWings.
The NissanConnect EV App Is Open to All
The NissanConnect EV app was created to provide LEAF owners a way to check the charging status of the LEAF and to have limited control of certain operations of the car.
Australian security researcher Troy Hunt went public with the hacking news after giving Nissan a month to fix the flaws. Mr. Hunt was attending a security conference in Norway when someone at the conference approached Hunt and told him about problems with the LEAF. The attendee said not only could he control functions of his own LEAF by simple measures online, he could do the same thing to any Nissan LEAF.
Hunt put it to the test and discovered the attendee was correct. Just by using a vehicle identification number (VIN) and a Web browser, a hacker could turn on the heated steering wheel, heated seat and the air conditioning, even if the car was shut off. A great way to drain the batteries of the electric LEAF.
Hunt notified Nissan about the vulnerability and gave them 30 days to fix the flaws before going public with the details. Thirty-two days later and Nissan hadn't done anything, at least not until the news hit the public.
Nissan's Glacial Response is Troubling
Nissan now says it has disabled the NissanConnect EV app and will be releasing a new updated version in the near future. However, the automaker didn't say why it didn't disable the app before Hunt went public with the security holes.
"I would have preferred to see faster action from Nissan. In my view, this is the sort of flaw that needs to have the service pulled until it can be fixed properly and restored; it’s not a critical feature of the vehicle yet it has the potential to impact its physical function and there’s the privacy risk as well." - Troy Hunt
What Hunt finds particularly disturbing is Nissan's lack of protection for the NissanConnect EV app. Researchers said not only was the security of the app horrible, it was non-existent. Nissan did nothing to protect the system with any type of authorization code or token.
The LEAF hack was made possible by simply inputting the VIN online, then after that Hunt could alter the last five digits of the VIN to gain access to additional cars.
The beginning characters of a VIN refer to the make and brand of the car and the country where the vehicle was manufactured. Simply put, to target as many vehicles as possible, all a hacker needs to do is change the last five digits, not the entire VIN.
Finding a complete VIN to start the process is an easy task due to the location of the VIN always visible through the windshield.
Although the hack was successful with the car shut off and unattended, Hunt says he couldn't access the app if the LEAF was moving. Hunt also says data about the location of the LEAF wasn't available, but a hacker could easily see the registered username of the owner and also view information related to previous trips taken by the LEAF.
A hacker could use the driving history to know when and where the car travels on certain days, gathering a pattern of the movements of the driver.
Although the news isn't good for Nissan, researchers say it's fortunate the LEAF, unlike other cars, doesn't have features to unlock and start the car remotely because those would be additional targets of hackers.
Although Mr. Hunt and others used the LEAF as their subject victim, Nissan says the eNV200 also uses the same app, which includes over 200,000 vehicles total.
While Hunt admitted the hack couldn't bring a LEAF to a stop in the middle of the highway, the researcher said it should be seen as another warning to automakers about vehicle security.
Hunt says he sincerely wants Nissan to fix the risk, especially considering he owns a Nissan vehicle himself, "albeit not a connected one."