‘Let us break it so you can fix it.’ It’s a hacker credo as old as the first curious phreakers who explored the edges of national phone systems in the 1970s – and it’s one that’s still relevant today. After hacking enthusiasts and security consultant Troy Hunt reported to the world that the Nissan Leaf electric car featured a software vulnerability that could allow for outside individuals to take over control of certain vehicle systems, the automaker has announced that it is shutting down the app in question until it can address the vulnerability.
It was actually via a hacking workshop lead by Hunt that a Leaf owner discovered they were able to use the NissanConnect EV app to control not just aspects of their own vehicle remotely, but also those of other Leaf owners simply by swapping in their VIN numbers. In fact, the access enabled climate control systems to be turned on and off and charge state to be accessed, with no security authentication required other than the VIN itself. All of this interaction between the NissanConnect EV app and Nissan Leaf vehicles was done over the Internet, meaning cars were vulnerable to attack from anyone anywhere in the world.
Hunt contacted Nissan over a month ago to express his concerns, and the company was receptive to his report. He eventually made his report public after waiting more than four weeks for the company to come up with a solution, in order to make Nissan Leaf owners aware of the vulnerability.
It didn’t take long after the publication of Hunt’s walk-through of the NissanConnect EV app exploit for the automaker to take a more dramatic step towards resolving the problem. Today, Nissan reached out to us and let us know that the app has been taken offline, pending permanent correction of the problem. Here’s the text of the message we received from the company:
The NissanConnect EV app (formerly called CarWings and is used for the Nissan LEAF) is currently unavailable. This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.
No other critical driving elements of the Nissan LEAF are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle. We apologize for the disappointment caused to our Nissan LEAF customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.
We’re looking forward to launching updated versions of our apps very soon.
It’s worth noting that while the NissanConnect EV app is no longer accessible, it’s still possible to access the Leaf API using VIN numbers by way of a Canadian HTTP GET exploit that makes use of the same type of non-authenticated connection between remote users and vehicle systems. The company is also still operating its web portal for users who want to check on the status of their vehicles remotely.
There is currently no timeline from Nissan as to when the NissanConnect EV app will be back online.