As cars get more connected, the risk of them becoming vulnerable to hackers increases exponentially. And it looks like Nissan has learned that lesson the hard way.
Japanese automaker has completely disabled the smartphone companion app for its Leaf electric vehicle after a security researcher proved hackers could use it to remotely control certain components of the car.
The app, NissanConnect EV, lets Leaf owners remotely charge their vehicles, as well as control the heat and air conditioning. But, according to Australian security researcher Tory Hunt, the app can be hacked so that anyone in the world could take control of the vehicle’s heating and cooling system at will.
In a test conducted with fellow researcher Scott Helme, Hunt was able to connect to Helme’s Leaf (which was in the U.K.) from Australia. During the test, Hunt was able to activate the car’s temperature controls and pull up information about how far Helme had driven his Leaf during recent road trips.
To take control of Helme’s vehicle, Hunt needed to know its vehicle identification number (VIN). Without that VIN, the hack doesn’t work. But, as Hunt and Helme showed, the VIN on every Leaf is the same, with the exception of the last five digits. That means the researchers could simply add five numbers to the end of that VIN to try to hack into a random Leaf somewhere in the world.
It’s important to note that the Leaf hack didn’t impact any part of the vehicle’s driving controls, so owners were never at risk of being forced into accidents. But in Hunt’s post, Helme details how a hacker could potentially use the exploit to run down the Leaf’s battery by repeatedly activating the air conditioner.
What’s more troubling is that Hunt said he brought the hack to Nissan’s attention weeks ago, but the automaker took no action. Only when Hunt’s story began to garner some attention did the company disable the app.
In a statement, Nissan said the decision to disable the app “follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.”
The company went on to explain that while the app is currently unavailable, drivers can still use their vehicle’s manual temperature controls. What’s more, the vehicles can still be controlled via Nissan’s desktop site, as the security problem didn’t apply to it.
Nissan says it will make the app available again when it addresses the vulnerability issue.
The idea that car’s can be hacked isn’t exactly new. Last year, 60 Minutes ran a report demonstrating how hackers can take control of a vehicle’s functions including the brakes and windshield wipers. But that vehicle was hacked in a controlled environment and required extensive work to take over.
So far, hackers haven’t been able to remotely hack and tack control of a vehicle’s driving system in the wild. But, as with any device that’s connected to the Internet, it is probably just a matter of time before such a serious hack occurs.
That’s why it behooves automakers and security experts to work together to keep connected cars safe.