Nissan has pulled the plug on a mobile phone app made for owners of the world’s best-selling electric car after security researchers revealed that it could be abused to remotely control the functions of another person’s automobile from anywhere with an Internet connection.
The Japanese automaker disabled its NissanConnect EV smartphone app on Wednesday this week and issued an apology after Troy Hunt, an Australian researcher, disclosed what he called “a very serious issue” affecting the Nissan LEAF, an all-electric car that has sold more than 200,000 units since being introduced in 2010.
Mr. Hunt wrote on his blog earlier in the day that the app had been designed in a manner that made it possible to remotely control the climate inside another person’s car, or access information about its driving history, simply by knowing or guessing the last five digits of its unique VIN, or vehicle identification number.
The app had been designed to give LEAF owners access to data about their own automobiles, but the researcher wrote that it was developed with “absolutely zero access controls,” allowing anyone with a vehicle’s VIN — or software that can generate random number combinations — to hack a car’s controls.
“Anyone could potentially enumerate VINs and control the physical function of any vehicles that responded,” he wrote on Wednesday.
Mr. Hunt said he chose to publicly disclose the vulnerability on his blog after spending more than a month attempting to bring it to the attention of Nissan, during which time he became aware of at least three other people who had noticed the issue, and even discussed it on online forums.
Shortly after publishing his report on Wednesday, Nissan issued an apology and suspended the app’s service until an updated version can be released.
“The NissanConnect EV app — formerly called CarWings — is currently unavailable,” the firm said in a statement. “This follows information from an independent IT consultant and a subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.”
“No other critical driving elements of the Nissan Leaf or eNV200 are affected, and our 200,000-plus LEAF and eNV200 drivers across the world can continue to use their cars safely and with total confidence,” the automaker added. “We apologize for the disappointment caused to our Nissan Leaf and eNV200 customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.”
Speaking to BBC, Mr. Hunt said that “Disabling the service was the right thing to do given it appears it’s not something they can properly secure in an expeditious fashion.”
“Hopefully this will give them time to build a more robust solution that ensures vehicle features and driving history are only accessible via the authorized owner of the car,” he said.
Even if critical functions like acceleration and steering weren’t affected by the vulnerable app, researchers said the exploit could have been harnessed by hackers to do damage nonetheless.
“Being able to remotely turn on the AC for a car might not seem like a problem, but this could put a significant drain on the battery over a period of time as the attacker can keep activating it,” said Scott Helme, a researcher who helped the Aussie investigate the issue. “It’s much like being able to start the engine in a petrol car to run the AC, it’s going to start consuming the fuel you have in the tank. If your car is parked on the drive overnight or at work for 10 hours and left running, you could have very little fuel left when you get back to it… You’d be stranded.”
“The other main concern here is that the telematics system in the car is leaking *all* of my historic driving data. That’s the details of every trip I’ve ever made in the car including when I made it, how far I drove and even how efficiently I drove,” Mr. Helme added. “This could easily be used to build up a profile of my driving habits, considering it goes back almost 2 years, and predict when I will be away from home. This kind of data should be collected and secured with the utmost respect for my privacy.”
In July, Fiat Chrysler called roughly 1.4 million automobiles after researchers showed that the critical functions of certain high-tech cars, including select Ram pickups, Dodge Viper sports cars and Jeep Grand Cherokees, could be taken over by hackers.