Nissan Leaf phone app disabled over hacking risk

Nissan Leaf front cornering
25 Feb, 2016 12:20pm Joe Finnerty

Nissan has turned off the companion app for its Leaf electric car after a security flaw was revealed by IT experts

Nissan has deactivated its Leaf and eNV200 companion app after an IT expert revealed air-con and heating systems could be hijacked and journey data could be accessed remotely.

Troy Hunt revealed that a security flaw in the NissanConnect EV app (formerly called CarWings) meant hackers could remotely take control of some systems - although not while the car was in motion. To access the app, all that was needed was a car's vehicle identification number (VIN) and this is normally stencilled on a car's windscreen making it easy to find and copy.

Car hacking: study shows 100 models at risk

The initial characters of a VIN number refer to the brand, model of car, and the country of manufacture or the location of the firm's headquarters. "Normally it's only the last five digits that differ," Hunt told the BBC. "There's nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries to turn the air conditioning on in every one." "They would then get a response that would confirm which vehicles exist."

Attackers would not even need to use the app, he added, since the commands could be sent via a web browser.

Nissan Leaf hack demonstrated on video

Austrialian-based IT consultant Hunt demonstrated the hack by using the VIN number of the Nissan Leaf belonging to his friend in the UK. Owner Scott Helme, who is also a cybersecurity adviser, said: "I was sat in the vehicle with everything powered off and didn't have my key on me. So, the vehicle was as it would be if it was completely unattended.

"As I was talking to Troy on Skype, he pasted the web address into his browser and then maybe 10 seconds later I heard an internal beep in the car." "The heated seat then turned on, the heated steering wheel turned on. And I could hear the fans spin up and the air-conditioning unit turn on."

Nissan investigation leads to app being disabled

Following the publication of Hunt's findings, Nissan launched an internal investigation and found the dedicated server for the app could be accessed via a non-secure route leading it to switch-off the tech.

A spokesman added: "No other critical driving elements of the Nissan LEAF or eNV200 are affected, and our 200,000-plus LEAF and eNV200 drivers across the world can continue to use their cars safely and with total confidence.

How to value your car: the complete guide

"The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.
"We apologise for the disappointment caused to our Nissan LEAF and eNV200 customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount. We're looking forward to launching updated versions of our apps very soon."

What do you think of the security problems facing modern connected cars? Join the debate in the comments section below...