On February 24, 2016, Troy Hunt, a Microsoft MVP for Developer Security reported a vulnerability in the remote management APIs for Nissan LEAF. If you have the VIN number of any of the cars, you are able access certain features from across the internet, anywhere in the world.
The Nissan LEAF is a fully electric car, popular in countries, like Canada and Norway – that are adopting the green initiative and even offering financial incentives to drivers willing to make the switch from fuel reliant engines. These vehicles also have a companion app, Nissan Connect, which allows users to remotely access certain features to their vehicle.
In January 2016, while Hunt was on a training program in Oslo, Norway, one of his students discovered that he could retrieve data and control the AC of his car without actually using the app. It was also discovered that it was possible to access other Nissan LEAF driver’s cars by knowing, or guessing the last 5 digits of the VIN.
These findings were also supported by a follower of Hunt’s living in Canada, who was experiencing the similar issues. The following video below shows Troy and fellow security researcher Scott Helme demonstrating the vulnerabilities.
The documented features in the app are limited, allowing users to:
While none of these features are life-threatening like a break release, hackers could certainly cause car owners trouble, by running their batteries down or tracking the times that people are travelling. The vulnerability doesn’t track physical GPS location, although it does track dates, distance time and number of trips.
According to Hunt there is no authorization on the app; fixing this vulnerability would be hard, and the best thing for Nissan is to shut down the application. He gave Nissan a month to fix the issue before he went public with the information. At this point Nissan has not commented.
Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506.