Nissan Suspends App for Leaf after Security Flaws are Exposed

Nissan Suspends App for Leaf after Security Flaws are Exposed
Image: Nissan
March 3, 2016

Nissan has pulled an app for its popular electric car after a security researcher found that he could control a Nissan Leaf in England from his home in Australia.

Fortunately, the app can control minimal car functions, but as tech experts found out, it was an easy hack, requiring very little other than a car's vehicle identification number (VIN). Nissan has suspended the app while it works on a fix.

Security researcher Troy Hunt informed Nissan of the problem in January and went public at the end of February when another researcher in Canada reported finding the same problems. Teaming up with a fellow security researcher and Leaf owner, Scott Helme, the pair shot a video showing how easy it was to control the car using a browser, a web address, and a VIN. From sunny Australia, Hunt was able to control the car's climate control and access Helme's travel history. Helme, sitting in the car located in northern England, confirmed that he did not have the key with him and the controls were being manipulated by Hunt.

While making the car too hot or too cold is a far cry from being able to control the movements of the car, like the infamous 2015 Jeep Cherokee hack, being able to remotely turn on the car could drain the battery, leaving the driver stranded. It also provides enough information in the travel history to predict an owner's movements and when they aren't home.

Most importantly though, the hack was easy.

Hunt wrote on his blog,

As car manufacturers rush towards joining in on the "internet of things" craze, security cannot be an afterthought nor something we're told they take seriously after realising that they didn't take it seriously enough in the first place. Imagine getting it as wrong as Nissan has for something like Volvo's "digital key" initiative where you unlock your car with your phone.

Nissan is just the latest automaker that had its security flaws made public. In July 2015 Fiat Chrysler recalled 1.4 million vehicles to have their software patched after two hackers took control of a Jeep Cherokee with a Wired reporter inside. The holes were known to the company since 2013, but the company made little effort to inform owners other than initially requiring them to head to a dealership for an update.

Fiat Chrysler later mailed jump drives to owners with directions on how to install the new software. An investigation by the National Highway Traffic Safety Administration (NHTSA) estimated that an additional 2.8 vehicles could be impacted.

Not too long after, Tesla announced that security researchers found a flaw that could turn off the car's engine. Hackers, however, would have needed access to the inside of the car in order to plant a virus, unlike the problems with Nissan and Fiat Chrysler, which could be done remotely. Tesla's over-the-air updating system also patched every car before news of the holes was made public.