A computer security researcher by the name of Troy Hunt has been able to penetrate the Nissan Leaf’s software with merely a Web browser and Internet connection. Moreover, the regular ol’ Leaf was tapped from thousands of miles away, proving what Hunt hypothesized a while ago.
Though the developer was only able to access the Leaf’s HVAC (climate controls and seat heaters), his discovery raises questions about what else might be vulnerable with better resources or more time. Indeed, if the security risks lead to experiments like Chrysler’s UConnect hacking, there may be broader concerns for Leaf owners.
While at a developer conference, Hunt met an attendee who began using Nissan’s smartphone app to control features on his own Leaf not intended by the automaker. What’s worse, the developer could control other people’s Leafs as well.
On Hunt’s webpage, the researcher teams up with friend and Leaf owner Scott Helme to show how he can infiltrate Helme’s Leaf in the U.K., from his home in Australia.
Hunt was able to access the Leaf computer to document recent trips, power usage information, charge levels, and more. He was also able to control the vehicle’s climate controls. While the latter might sound like the perfect recipe for a prank, the available data could also easily be leveraged by criminals, and non-native app functions could conceivably be made available to a skilled programmer.
Hunt showed that access to any Leaf is possible thanks to a shielded code request where the VIN can be exchanged at will. If a hacker gained access to a Leaf’s VIN (via a Web search or a glance at the vehicle’s windshield), they could perform the same experiment on that car.
Oh, and if you assumed that a hacker would be putting themselves at risk by accessing this information, Hunt notes that each API session didn’t contain origin information (it was completely anonymous).
With these findings in hand, Hunt reported the security risks to Nissan. However, as the researcher notes on his site, it’s been over a month and Nissan has yet to resolve the issue. Hunt did clarify that he was able to get in touch with the right people at the automaker post-haste, but the lack of security within the native app is still concerning.
Sure, the present risks to Nissan Leafs aren’t life-threatening (unless you’re driven insane by seemingly autonomous climate controls), but this should serve as a warning for all automotive manufacturers of connected cars: people can and will exploit security gaps.