Security researchers have disclosed a vulnerability in Nissan LEAF cars that could potentially allow hackers to access data on recent trips, as well as tamper with the heating and air-conditioning systems.
The flaw appears when the electric vehicle communicates with its companion app – NissanConnect EV – which drivers can use to view and control certain features, such as checking driving range and state of charge, or adjusting the in-car climate.
However, researchers Troy Hunt and Scott Helme recently discovered the mobile app’s communication with the car is entirely unauthenticated.
With just the Nissan’s VIN (Vehicle Identification Number), an attacker could potentially send the same commands and requests via the Internet.
Even more alarming is the fact that this unique code is usually made visible through the car’s windshield.
Although the issue is not life-threatening, Hunt warns that hackers could still exploit the app to cause mischief like running down the car battery, leaving the heater on for hours or simply compromising the user’s privacy.
“Nissan needs to fix this,” wrote Hunt in a blog post.
“It’s a different class of vulnerability to the Charlie Miller and Chris Valasek Jeep hacking shenanigans of last year, but in both good and bad ways. Good in that it doesn’t impact the driving controls of the vehicle, yet bad in that the ease of gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial,” said Hunt.
Hunt says he initially notified Nissan of the vulnerability last month. The car manufacturer reportedly acknowledged the flaw and said the company was “making progress towards a solution.”
“As car manufacturers rush towards joining in on the ‘internet of things’ craze, security cannot be an afterthought…” said Hunt.