Nissan’s Leaf electric cars can be easily hacked using insecure APIs from anywhere in the world
Some of Nissan’s Leaf cars can be easily hacked, allowing their heating and air-conditioning systems to be hijacked, according to two security researchers. The two security researchers, Scott Helme and Troy Hunt demonstrated vulnerabilities in the Nissan Leaf remote management APIs that allow anyone with the VIN number of the car to access certain features of it from anywhere across the Internet.
Troy Hunt reported that a flaw with the electric vehicle’s companion app also meant data about drivers’ recent journeys could be spied on. The hack attack can be carried out from anywhere in the world as demonstrated by Hunt, who lives in Australia and Helme in the north of England, over 10,000 miles apart.
- Check state of battery charge
- Start charging
- Check when battery charge will complete
- See estimated driving range
- Turn on or off the climate control system
Hunt and Helme found that the APIs used by the App to communicate with the care is open and unauthenticated and can be manipulated easily. All Nissan Leafs share a VIN prefix of “SJNFAAZE0U60” with the last 5 characters unique for each. Hunt says that to access the APIs the hacker just needs to know the full VIN. This code is usually stencilled into a car’s windscreen, making it relatively easy to copy. The initial characters of a Vin refer to the brand, make of car, and country of manufacture/location of the firm’s headquarters.
So, Hunt said, it would only be the final numbers that varied between different Nissan Leafs based in the same region. To conduct the attack, the hacker need not even use the App, says Hunt. The commands could be sent via a web browser to conduct the hack.
To confirm the problem, Australia-based Hunt used the Vin number of a Nissan Leaf-owning acquaintance based in the UK.
Mr Hunt acknowledged that the issue was not life-threatening, but said hackers could still exploit the NissanConnect app’s vulnerability to cause mischief by running down people’s batteries.
Hunt said that they had notified Nissan about the vulnerability and had given the firm a month to fix the issue before he decided to make it public. As of now the vulnerability has not been patched by Nissan as such Hunt said car owners could protect themselves by disabling their Nissan CarWings account.
Those who have never signed up are not at risk.