Due to a security flaw in the Nissan Leaf electric car, a hacker on the other side of the world was able to take control of one car’s functions and access information on what journeys the car has taken.
The Nissan Leaf is reportedly one of the most popular electric cars in the world, but recently a serious security flaw has been exposed that allows hackers access to the cars functions from literally anywhere in the world.
— Fortune (@FortuneMagazine) February 25, 2016
Fortunately, it wasn’t an evil hacker who took control of the car in question. It was Troy Hunt, a security researcher based in Australia, who tested the vulnerability of a fellow security expert’s Nissan Leaf car in the U.K. All Hunt needed, reportedly, was the easily-attainable VIN number, giving him access to turn on the air conditioning and heating systems in his colleague’s U.K. car.
Hunt then uploaded a video to YouTube of the hack, showing how easy it was for him to do this.
As reported by The Verge, the Nissan Leaf has a companion smartphone app, NissanConnect, which is used by car owners to check on the status of their vehicle, including for instance the car’s remaining battery range. This app was exploited by Hunt to gain access to the climate control of the car and turn on the heated seats.
Obviously, in a more serious hacking situation, this could allow malicious attackers to take control of various aspects of the Nissan Leaf vehicles, including running down the battery of a car, or even worse, accessing data on the car’s recent journeys, possibly using this data to strand individuals.
Nissan Leaf electric car hack revealed https://t.co/Mbt3MxfCv1
— BBC Technology (@BBCTech) February 24, 2016
According to Scott Helme, who assisted Hunt in the test hack, the Nissan Leaf doesn’t have features like remote unlock or remote start like similar vehicles from other manufacturers do. He said that would be a disaster, especially after what their hack has revealed.
“Still, a malicious actor could cause a great deal of problems for owners of the Nissan Leaf.”
Reportedly, what is even more unnerving is how easy it was to perform the hack. The Nissan Leaf would apparently need to have been connected to the Nissan app and to be stationary at the time of the attack, but the hack can still cause chaos with the electric vehicle. Reportedly all you need is the VIN number of the car, which is prominently displayed on the Leaf’s windscreen.
International Business Times quoted security expert Graham Cluley as saying, “If hijacking a Jeep remotely was like man landing on the moon, turning a Nissan Leaf owner’s air-conditioning on remotely is like walking up the stairs.”
For any concerned Nissan Leaf owners, Helme has provided details on how to prevent a malicious attack of this nature and the easiest fix is to simply unregister the NissanConnect app. During the hacking experiment, as soon as the car was unregistered, Hunt could no longer communicate with the vehicle.
Helme said that, to disable CarWings, car owners must log into the service from their browser, as it reportedly cannot be done through the mobile app.
Once logged in, the car owner should select “Configuration” from the menu and select the “Remove CarWings” option. Reportedly the option appears greyed out on the menu, but it does work when clicked.
Users will then receive a prompt asking them to confirm that they wish to disable CarWings and to provide a reason why. The car owner must then click “Validate” after selecting an appropriate option and a confirmation message will be received. Whether there is a “scared of being hacked” option to choose from was not reported.
According to Hunt, he has warned Nissan several times about the vulnerability of the Nissan Leaf cars since he found it on January 23 and the problem remains unfixed.
While Hunt does admit the vulnerability is not as bad as it could be, and while a malicious attacker can’t hijack the driving control of the Nissan Leaf vehicle, it is still unnerving to know that hackers can access control of the inner workings of the car.