Anyone with knowledge of a Nissan Leaf's vehicle identification number could use it to manipulate heating and air-conditioning functions and potentially drain the electric vehicle's battery. Outsiders could also view location data from a vehicle's recent trips and obtain private information on a driver's whereabouts.
Cyber-security research Troy Hunt disclosed the vulnerabilities Wednesday after discovering them during a workshop last month. He says the interface that controls communications between the outside world and car doesn't authenticate users, so anyone with cursory knowledge of a VIN can access the vehicle via the NissanConnect app and receive responses.
"Fortunately, the Nissan Leaf doesn't have features like remote unlock or remote start, like some vehicles from other manufacturers do, because that would be a disaster with what's been uncovered," Hunt writes on his website.
The vulnerability is an anomaly in automotive cyber-security circles. It contains none of the dire implications of the remote hack of a Jeep Cherokee that researchers demonstrated last year, in which they commandeered steering, acceleration and brake functions from halfway across the country. At worst, someone with mischievous intent could drain a battery and leave a car owner with a headache.
But that also misses the point. The Jeep hack was a difficult feat – it took researchers Chris Valasek and Charlie Miller months to target and exploit a single vehicle. By contrast, the NissanConnect vulnerability, Hunt says, was easy to find and exploit.
"In my view, this is the sort of flaw that needs to have the service pulled until it can be fixed properly and restored." – Troy Hunt
VINs can often be viewed through the windshield, and the "risks like the one above were discovered by doing nothing more than using the app as it was intended to be used and observing the traffic going backwards and forwards," Hunt writes. "This is the mobile equivalent of opening your browser's dev tools and watching the network tab."
On Wednesday afternoon, Nissan acknowledged a "data issue." A spokesperson for the company says, "our global technology and product teams are currently working on a permanent and robust solution. We are committed to resolving the issue as a matter of priority, ensuring that we deliver the best possible experience for our customers."
But as automakers rush to connect smartphone apps to vehicle functions, Hunt's research will surely be a topic discussed by the automakers' fledgling Information Sharing and Analysis Center, a group that became operational in December that's supposed to deal with the industry's car-hacking vulnerabilities.
In the meantime, Hunt is hoping Nissan fixes the problem by shuttering the app until it's more secure.
"In my view, this is the sort of flaw that needs to have the service pulled until it can be fixed properly and restored; it's not a critical feature of the vehicle yet it has the potential to impact its physical function and there's the privacy risk as well."