Nissan, citing security risks, disables Leaf app

Nissan Motor Co. has disabled an app for the Leaf that left the electric car vulnerable to hackers, allowing someone to see the car’s driving history and other data.

The NissanConnect EV app, which allows Leaf drivers to control the car’s heating and cooling over the phone, had a security flaw publicized by Australian researcher Troy Hunt.

He says the security flaw can allow hackers to adjust other cars’ temperatures and to review their driving histories from the app.

Hunt, in a post published Wednesday on his blog, said he brought the flaw to the attention of Nissan on Jan. 23 and numerous times since.

Nissan did not disable the app until Wednesday night.

“I would have preferred to see faster action from Nissan,” Hunt wrote. “In my view, this is the sort of flaw that needs to have the service pulled until it can be fixed properly and restored.”

Nissan spokesman Steve Yaeger said in an email that the company disabled the app Wednesday night following an investigation.

“We were contacted by Mr. Hunt last month and began a discussion about his findings,” Yaeger said. “Our initial investigation concluded that the functions affected did not directly impact operation of the vehicle itself. We were working towards a robust solution from the moment we were alerted to this issue.”

Hunt found that the app was not made to properly verify the identity of the owner, requiring only a VIN number to gain access to that data.

He said he published the post before Nissan issued a fix in part because the flaw was being discussed on a Canadian online forum.

“In my view, this is the sort of flaw that needs to have the service pulled until it can be properly fixed and restored,” Hunt wrote. “It’s not a critical feature of the vehicle yet it has the potential to impact its physical function and there’s privacy risk as well. ”

Yaeger said the “integrity of our vehicles has not been compromised,” and said the app will be updated “as soon as possible.” He said owners can still use the Web portal until a fix for the app is made available.

Hunt called the flaw a “different class of vulnerability” than the hacking of a Jeep Cherokee last year since hackers would not have been able to take over the driving controls of the Leaf.

“As car manufacturers rush towards joining in on the ‘internet of things’ craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place,” Hunt wrote.

RECOMMENDED FOR YOU
Possible 'massive' Tesla data breach looked into by European authorities
Letter
to the
Editor

Send us a letter

Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

Recommended for You
Tesla Berlin Aug 2023 Rtrs_0.jpg
Possible 'massive' Tesla data breach looked into by European authorities
Indictment of former Apple self-driving engineer sends message on national security risk, experts say
Indictment of former Apple self-driving engineer sends message on national security risk, experts say
Indy-MAIN_i.jpg
Indy 500 race cars are running on 100% renewable fuel and tires with recycled plastics
Sign up for free newsletters
Digital Edition
Automotive News 5-29-23
THIS WEEK'S EDITION
See our archive
Fixed Ops Journal
Fixed Ops Journal 12-19-22
Read the issue
See our archive