Researchers used a web browser to hack into Nissan controls that are available through the LEAF Nissan Connect app. Nissan is aware of the situation and is working on a fix.
Troy Hunt, a security expert, met a LEAF owner at the NDC conference in Norway who helped him discover the code behind the app using a proxy to see all the requests the app made.
“The API can be accessed anonymously. It’s a GET request so there was nothing passed in the body nor was there anything like a bearer token in the request header. In fact, the only thing identifying his vehicle was the VIN,” wrote Hunt on his blog.
The team was able to access the battery status, turn on heated seats, activate climate control and make VIN numbers until they found another owner’s LEAF VIN number.
This is a really major piece and I have been working on: APIs that control the Nissan LEAF without auth https://t.co/8Atg4we60c
— Troy Hunt (@troyhunt) February 24, 2016
To demonstrate the problem, a YouTube video shows Scott Helme in north England, while his LEAF features are activated from the web with software used by Troy Hunt in Australia. Hunt was able to see Helme’s recent trips, how far he drove, dates, times and number of trips.
One programmer noted “I found out that the whole API is unauthenticated and only requires the VIN to target a vehicle. To add insult to injury those action are from simple http Get request.”
The good news is that the Nissan Leaf doesn’t have features like remote unlock or remote start, like some vehicles from other manufacturers do, because that would be a disaster because it was so easy to hack.
Helme notes that a malicious hacker could cause a great deal of problems for owners of Nissan LEAFs. Being able to remotely turn on the air conditioning could put a significant drain on the battery over a period of time because the attacker can keep activating it. It could drain the battery overnight.
Helme’s main concern is that the telematics system in the car is leaking all of his historic driving data. It could easily be used to build up a profile of his driving habits, considering it goes back almost 2 years, and predict when he will be away from home.
Hunt contacted Nissan starting on January 23 and was asked not publish the article yet. We contacted the Nissan PR rep received this a statement via email:
“Nissan is aware of a data issue relating to the NissanConnect EV app that impacts the climate control and state of charge functions. It has no effect whatsoever on the vehicle’s operation or safety.
Our global technology and product teams are currently working on a permanent and robust solution. We are committed to resolving the issue as a matter of priority, ensuring that we deliver the best possible experience for our customers through the app now and in the future.”
Update 6:29 pm PST the CARWINGS app is now grounded.