Nissan owners who want to remotely connect to their electric vehicles’ climate control systems are out of juice for the time being. Nissan has announced it has taken the NissanConnect EV app offline after a team of security researchers discovered a potentially serious flaw in the software’s security.
NissanConnect EV is an app that enables owners of the company’s Leaf and e-NV200 van models to gain remote access to climate control systems, such as the air-conditioning and heated seating. The app also allows users to access such functions as battery charging. It does not provide access to driving elements, but the potential for identity theft and performance tampering attached to the hack was enough to prompt Nissan to pull the app until its security measures could be improved.
Security researchers Troy Hunt and Scott Helme discovered the flaw during a recent software workshop in Oslo. A workshop attendee took Hunt’s advice to “hack himself first” and found he was able to connect to his own Leaf over the Internet and control its features independently of what Nissan had intended, Hunt wrote on his blog. Most alarming, he discovered he could “control other people’s Leafs,” Hunt wrote, because access only required a Vehicle Identification Number (VIN).
You Might Also Enjoy: More than Half of Americans Feel Satisfied with their Job Security
Hunt and Helme were able to replicate the hack using Helme’s own Leaf. Of particular concern was the fact the hack enabled access to the owner’s username, which could ultimately reveal identity. “Whilst it’s not specifically personally identifiable information such as the individual’s address, by the time you have a VIN which you know belongs to a Leaf registered within it specific country, it may not take too much effort to fill in the gap,” Hunt said as reported in Wired.
Since VINs only differ by five to six digits, the relative ease with which others could access the program was also troubling to Hunt. “Anyone could potentially enumerate VINs and control the physical function of any vehicles that responded,” Hunt explained on his blog. This hack had the potential to leave motorists stranded since the app could allow air conditioning to remain running to drain a battery or even allow a hacker to stop a charge in its tracks. Realizing the potential for damage, Hunt contacted Nissan.
Nissan announced in late February NissanConnect was going offline to address the concerns. How soon a more security-conscious version of the app might be made available to Leaf and e-NV200 owners remains unclear. Hunt hopes the reboot will enable Nissan to return to market with an app that “ensures vehicle features and driving history are only accessible via the authorized owner of the car,” The Christian Science Monitor quoted him as saying.