Hacker controls Nissan Leaf using smartphone app vulnerability
A cybersecurity expert has found a way to control any Nissan Leaf, the world’s most popular electric vehicle. The vulnerability, discovered by expert Troy Hunt, allows anyone to take control of the air conditioning and heating systems of any Leaf – and even gives access to the car’s journey history. According to Hunt, the hack was done remotely via the NissanConnect EV app and allowed him to take control of other people’s Leafs on the other side of the world.
How does it work?
Like many other electric vehicles, the Nissan Leaf uses a counterpart app to display your driving habits, charge levels and general eco-friendliness – but it also allows for preconditioning. Simply put, preconditioning allows you to control elements of your car remotely, while it’s charging. That way you can do things such as warm the cabin while the car’s still charging, saving your precious battery life for driving.
Hunt says he only needed a VIN (vehicle identification number) to gain access to this area via the app. “It’s not that they have done authorisation [on the app] badly, they just haven’t done it at all, which is bizarre,” he told the BBC. The first few characters of a car’s VIN refer to the brand, model and country of origin, so only the last few numbers would set each Leaf apart.
“Normally it’s only the last five digits that differ,” Hunt told the BBC. “There’s nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one
In a video, Troy Hunt is shown remotely controlling these features via the API of the NissanConnect EV app, and is also shown testing the theory remotely with a friend’s Leaf in the UK. Interestingly, it appears that a hacker could even use a web browser to access the vulnerability.
“As I was talking to Troy on Skype, he pasted the web address into his browser and then maybe ten seconds later I heard an internal beep in the car,” Scott Helme, a cybersecurity adviser, told the BBC.
“The heated seat then turned on, the heated steering wheel turned on. And I could hear the fans spin up and the air-conditioning unit turn on.”
Is it dangerous?
Not particularly. Troy Hunt says he gave Nissan a month to fix the issue, and today it appears that the company has deactivated the NissanConnect EV service – but it didn’t represent an immediate risk. In a worst case scenario, hackers would be able to access the AC unit of a Leaf, and make the interior either really warm or really cold – potentially running down the battery in the process. What’s more, the hack doesn’t work when the car is in motion.
As Hunt says: “It’s much like being able to start the engine in a petrol car to run the AC, it’s going to start consuming the fuel you have in the tank. If your car is parked on the drive overnight or at work for ten hours and left running, you could have very little fuel left when you get back to it… You’d be stranded”
At the same time, they’d also have access to your journey history and eco-stats, which, while unnerving, pales in comparison to recent car hacks.
As Hunt writes in his blog: “It’s a different class of vulnerability to the Charlie Miller and Chris Valasek Jeep hacking shenanigans of last year, but in both good and bad ways. Good in that it doesn’t impact the driving controls of the vehicle, yet bad in that the ease of gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial.” Hunt also found that, as soon as his friend disconnected the app from the Nissan Leaf, it was no longer hackable.
We asked Nissan for a statement on the current issues, and they said us the below:
“The NissanConnect EV app (formerly called CarWings and is used for the Nissan LEAF and eNV200) is currently unavailable. This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.
No other critical driving elements of the Nissan LEAF or eNV200 are affected, and our 200,000-plus LEAF and eNV200 drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.
We apologize for the disappointment caused to our Nissan LEAF and eNV200 customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.
We’re looking forward to launching updated versions of our apps very soon.”
The hack should come as yet another warning sign to car manufacturers. While app-integration such as the NissanConnectEV service represents an important step forward for cars, manufacturers need to ensure they adhere to the same security standards we expect from the other apps we use. With companies such as Volvo already hoping to replace car keys, and Nissan looking at stepping up car-app integration, these security issues need to be dealt with as soon as possible.
Read next: All you need to know about the Tesla Model 3