Nissan Leaf app disabled because it’s hackable
Blogger found he could control heating, cooling system in other cars
Nissan on Wednesday disabled an app that allowed owners of its electric Leaf car to control their cars’ heating and cooling from their phones after an Australian researcher showed he could use it to control others’ cars as well.
The Nissan Connect EV app, formerly called Car Wings, enabled a remote hacker to access the Leaf ’s temperature controls and review its driving record, merely by knowing the car’s VIN (vehicle identification number).
Computer security researcher Troy Hunt published a blog post Wednesday describing how he discovered the flaw and reported it to Nissan on Jan. 23. He only posted his blog after the issue began to be discussed on security forums online, he wrote. Nissan did not announce it was disabling the app after he had done so.
Nissan spokesman Steve Yaeger said in an email to USA TODAY the issues relating to the app had “no effect whatsoever on the vehicle’s operation or safety.”
In a statement, the company said, “our 200,000 Leaf drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.”
Hunt emphasized that while this particular security vulnerability didn’t impact driving controls, it is a cautionary tale for auto makers. “As car manufacturers rush towards joining in on the ‘Internet of things’ craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place,” he wrote.
“We are lucky in this case the attacks were only focused on functionality in the air-conditioning and heating system and were done by a ‘white hat’ and not a criminally minded black hat hacker,” said Reiner Kappenberger, a product manager with HPE Security–Data Security of Cupertino, Calif.