Nissan Leaf vulnerability opens climate controls to hackers

The Nissan Leaf electric car has a security issue that leaves it vulnerable to hackers, security researcher Troy Hunt has revealed. The vulnerability leaves the Leaf's climate systems — the air conditioner and heater — open to hackers, and it all revolves around the auto maker's companion mobile app. While the vulnerability doesn't risk the drivers' personal safety, it does provide an avenue for someone to drain a Leaf's batteries.

Hunt details the vulnerability on his website, saying it was discovered by someone attending a hacking workshop. The attendee'd found he could connect to his own Leaf vehicle over the Internet and control some of the features outside of the prescribed manner. As well, he could do the same with Leaf vehicles that he didn't own. This is possible "literally from the other end of the earth."

He goes through the technical details on how the issue was discovered, including screenshots. At the end of it all, Hunt says he notified Nissan of the issue, making "multiple attempts over more than a month to get Nissan to resolve this." The information was sent to the auto maker on January 23; on February 12, Nissan told Hunt it was "making progress toward a solution."

Ultimately, he has published his findings after 4 weeks and 4 days from the initial disclosure. Says Hunt:

I do want to make it clear though that especially in the earlier discussions, Nissan handled this really well. It was easy to get in touch with the right people quickly and they made the time to talk and understand the issue. They were receptive and whilst I obviously would have liked to see this rectified quickly, compared to most ethical disclosure experiences security researches have, Nissan was exemplary.

Speaking to the BBC, a Nissan spokesperson said:

Nissan is aware of a data issue relating to the NissanConnect EV app that impacts the climate control and state of charge functions. It has no effect whatsoever on the vehicle's optation or safety. Our global technology and product teams are currently working on a permanent and robust solution. We are committed to resolving the issue as a matter of priority, ensuring that we deliver the best possible experience for our customers through the app now and in the future.

A specific timeframe in which Nissan expects to have a solution for the issue was not stated.