Turns out digital security is an optional extra for cars these days, at least when it comes to Nissan’s electric-powered LEAF and its NissanConnect EV app. After a vulnerability was publicly disclosed earlier this week, the company made the decision to pull the app.
On 24 February Troy Hunt, Microsoft MVP for developer security, published details of the issue on his website. Apparently Hunt advised Nissan of the problem on 23 January, but failed to get a satisfactory response.
After waiting a month, Hunt made the decision to publish his findings, after which it took Nissan no time at all to pull the app. While the App Store link is still valid for the US, the Australian version is no longer available.
While the hack doesn’t allow one to drive the car or anything, it does let a malicious user access personal information and even turn off certain settings, including charging and climate control:
This time, personal information about Jan was returned, namely his user ID which was a variation of his actual name. The VIN passed in the request also came back in the response and a result key was returned.
He then turned the climate control off … All of these requests were made without an auth token of any kind; they were issued anonymously. Jan checked them by loading them up in Chrome as well and sure enough, the response was returned just fine. By now, it was pretty clear the API had absolutely zero access controls but the potential for invoking it under the identity of other vehicles wasn’t yet clear.
All that’s required is the vehicle’s VIN, though Hunt was able to get it working with just the last five digits.
It’s good cars are becoming more connected, but security really needs to be a higher priority.