API Vulnerability In Nissan Leaf Electric Vehicles Leaves Them Prone To Hacking
Prominent security researcher Troy Hunt reveals that a flaw in the Nissan Leaf can create vulnerabilities and compromise the driver's recent journeys data.
Hunt learned about the vulnerability in the Nissan Leaf while conducting a training in Norway last month.
It all started from a workshop attendee who also owns a Nissan Leaf, the best-selling electric car in the world.
"What the workshop attendee ultimately discovered was that not only could he connect to his Leaf over the Internet and control features independently of how Nissan had designed the app, he could control other people's Leafs," says Hunt.
Hunt tried to demonstrate the issue in a video with the help of Scott Helme, a friend and a security researcher who owns a Leaf as well.
According to Hunt, the root of the issue is based on how the NissanConnect EV app would only require the car's vehicle identification number (VIN) in order for anyone to take control of some settings. These include heating, air-conditioning system and even the driver's recent journeys.
Some Nissan Leaf owners also confirmed about the vulnerability through emails that soon started flooding Hunt's inbox.
"I read your Vtech article and though[t] that you would be well placed to appreciate this," wrote one Canadian follower. "Im a Nissan Leaf owner and I found out that Nissan security is pretty abysmal. They have an App to remote start charging, start/stop the AC/Heat, and get updated on current state of the vehicle."
Hunt also published a disclosure timeline that explains how he made several attempts to have the issue resolved by Nissan.
"I made multiple attempts over more than a month to get Nissan to resolve this and it was only after the Canadian email and French forum posts came to light that I eventually advised them I'd be publishing this post," says Hunt.
So far, there are at least five dates included in the timeline. The latest is on Feb. 24, which is when Hunt published his blog post on the vulnerability issue. The date also marks 4 weeks and 4 days since the issue was first disclosed.
Nissan, according to Hunt, should take action to solve the issue because of the potential impact it can bring to the vehicle's physical function and the risk it poses to privacy. Furthermore, the issue is now a shared knowledge among Canadian owners of the Leaf who, through an online forum, discuss the flaw.