Nissan Leaf vulnerable to hacking

Nissan says there are no safety issues regarding its electric model Nissan Leaf, after a security researcher claimed that part of its software can be easily hacked.

Speaking to the BBC, Troy Hunt said the car’s heating and air-conditioning systems can be hijacked while data about the owner’s recent journeys can also be accessed. Although not dangerous, he claimed this vulnerability could allow hackers to run down batteries.

He has urged drivers to disable their Nissan CarWings account to protect themselves.

A spokeswoman for Nissan said, ‘Nissan is aware of a data issue relating to the NissanConnect EV app that impacts the climate control and state of charge functions. It has no effect whatsoever on the vehicle’s operation or safety.

‘Our global technology and product teams are currently working on a permanent and robust solution. We are committed to resolving the issue as a matter of priority, ensuring that we deliver the best possible experience for our customers through the app now and in the future.’

Troy said the problem is that the NissanConnect app needs only a car’s vehicle identification number (Vin) to take control. The code is usually stencilled into a car’s windscreen, making it relatively easy to copy. The initial characters of a Vin refer to the brand, make of car, and country of manufacture/location of the firm’s headquarters.

‘Normally it’s only the last five digits that differ. There’s nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one. They would then get a response that would confirm which vehicles exist.’

Australia-based Troy tested the hacking process by using the Vin number of a Nissan Leaf-owning acquaintance based in the UK, cybersecurity adviser Scott Helme.

Scott said, ‘I was sat in the vehicle with everything powered off and didn’t have my key on me. As I was talking to Troy on Skype, he pasted the web address into his browser and then maybe 10 seconds later I heard an internal beep in the car.

‘The heated seat then turned on, the heated steering wheel turned on, and I could hear the fans spin up and the air-conditioning unit turn on.’

Further tests indicated that the hack did not work if the vehicle was in motion, but it was possible to see the owner’s registered username, as well as times and distances of recent journeys, but not location data.

Troy added, ‘The right thing to do at the moment would be for Nissan to turn it [CarWings] off altogether. They are going to have to let customers know. And to be honest, a fix would not be hard to do.

‘Unfortunately what we are seeing is just another case of security being important after a problem is discovered.’