The Nissan Leaf is one of the most popular EVs in the world with many of them in the hands of customers globally. Recently a security vulnerability was discovered in the way the Nissan app interacts with the Leaf that allows people to access Leaf functions remotely outside of how Nissan intended the car to be accessible. The discovery was made by a Leaf owner who happens to be an app developer while at a security conference.
The man discovered that he could connect to his Leaf over the internet and control features independently of how Nissan intended the features to be controlled. He also determined that he could connect to Leaf EVs owned by others in the same manner. The scary part about this vulnerability is that for someone to access the features of your Leaf, they don’t have to be anywhere near your car, in fact the features can be accessed from across the world.
Security researcher Troy Hunt and a friend go deeply in the technical steps required to access the information. The researchers found that they could access information from the car anonymously via a GET request. The researcher discovered that he could access information about the Leaf and only needed to know the VIN of the car to get that information.
With the VIN and the right queries, you can get battery status and climate control status. He then found that you could construct queries to turn on the climate control and you could glean the person’s user name from the data returned as well. By finding a Leaf VIN on the web, the researchers were able to access other user information in the same way. In the end, the researchers found that there is a complete lack of authentication on the service for the Leaf and its companion app. The flaw was reported to Nissan according to the researchers, but after over a month the issue is still unpatched.
SOURCE: Troy Hunt