Nissan has suspended an app for its electric Leaf car after it emerged that the software could easily be hacked, making thousands of cars vulnerable.
Security researcher Troy Hunt revealed how lax security controls on the Leaf let him take control of the heating controls of another person’s Leaf and see details of its driver’s journeys.
Modifying the temperature controls could let hackers run down the Leaf’s battery or make the car uncomfortably or dangerously hot for anyone inside. Details of each journey recorded by the car’s inbuilt log, including journey distances, were also available, as were car owners' usernames. Hunt revealed how he was able to hack a Leaf in the north of England from Australia using only a browser and a web address.
All he needed to gain access was the Leaf in question’s vehicle identity number (Vin) which is written on the cars’ windscreens. “The ease of gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial,” Hunt said.
To access the car’s controls and logs, Hunt did not need a password or any other form of verification beyond the easily-discoverable Vin. In fact, he could access different Leaf’s systems simply by randomising the five digits on the end of the number.
The Leaf is the world’s best selling electric car, and more than 200,000 have been sold since its launch in 2010. Nissan said it had disabled the app after the problems emerged.
"The only functions that are affected are those controlled via the mobile phone," the company said. "We apologise for the disappointment caused to our customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount. "We're looking forward to launching updated versions of our apps very soon."
