facebook rss twitter

Nissan Leaf electric car is easily hackable via a web browser

by Mark Tyson on 25 February 2016, 10:31

Quick Link: HEXUS.net/qacywu

Add to My Vault: x

The world's bestselling electric car, the Nissan Leaf, is easily 'hackable' remotely using just a web browser. What was demonstrated to be the scope of the hack in this case probably won't give most people sleepless nights - Nissan doesn't think there is a safety risk - but it is nonetheless concerning that people can look at your Leaf trip data and adjust certain systems in your car with such ease. The issue seems to stem from the NissanConnect app, which gives owners various information about their cars and control over such tings as the air conditioner and heating, simply based upon them knowing the car ID number, with no further authentication.

Security researcher Troy Hunt discovered that just by knowing a Nissan Leaf's unique Vehicle Identification Number (VIN) hackers could access the car's connected systems. This number is printed on a sticker in the windscreen on some models. The VIN consists of characters which indicate the brand, make and country of manufacture of a car and just the last five digits vary between different Nissan Leaf cars in any country. So obscuring your VIN in your windscreen isn't going to stop you being hacked if someone is simply malicious enough to do the following:

"There's nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one," according to Hunt. "They would then get a response that would confirm which vehicles exist."

As noted by one of Hunt's contacts in the UK, hacking to control an air conditioner, heater, or access travel logs doesn't seem too threatening but - someone could drain your battery while you were parked at work without a charge point, for example, preventing you from getting home. The privacy and security risk of someone being able to access all your journeys is also concerning.

Nissan has told the BBC that it is aware of the issue and is working on a solution. Hunt said he told Nissan about this hack a month ago. Please note that the car systems cannot currently be hacked when users are operating the car, Hunt added that unregistering the NissanConnect app prevents remote hacker attacks.

HEXUS Forums :: 2 Comments

Login with Forum Account

Don't have an account? Register today!
Posted by TheAnimus - Thu 25 Feb 2016 14:06
Authorisation is hard to do properly. But at least try to do it at all…..
Posted by whatif - Fri 26 Feb 2016 03:31
Could be a bit annoying if you don't get along with someone like the neighbour, every morning the air-con set to high or low. Also a neat prank on a friend who is not aware - sort of similar to turning up to their house with a extra TV remote and create viewing confusion (done it before).
Lucky these were not the more advanced models with all the new self-driving facilities that are being worked into them nowadays. Like the one they are trialing at a parking station, you leave the electric car at the entrance, and the system parks it, moves it to a available charging station when available, re-park it, then brings it out to the exit after you alert it to your approach. Hope they have these well secured.