Researcher decides to go public with flaw after giving Nissan one month to fix the vulnerability
A security researcher has decided to go public with a security flaw for the Nissan Leaf electric car, after he gave the car maker one month to address the flaw.
The failure of Nissan to address the vulnerability with its mobile app in a timely manner highlights the growing issue of car makers struggling to get up to speed with security issues with connected vehicles.
The vulnerability with the Nissan Leaf was discovered by Australian security research Troy Hunt and concerns the Nissan Leaf mobile app.
While the flaw does not impact any life threatening systems in the car, it could allow for heating and air-conditioning systems to be hijacked, and journey data to be accessed.
Hunt explained how he was in Norway giving a training course, he bumped into an attendee who was also owner of a Nissan Leaf. The Leaf owner had discovered that he could remotely connect to his Leaf car via the Internet, and could control features independently of how Nissan had designed the mobile app.
Troy went back to Australia and teamed up with UK security researcher Scott Helme, who also happens to own a Nissan Leaf.
Troy was able to choose which Nissan Leaf car to control via the VIN (vehicle identification number). Most cars nowadays have their VIN number stencilled into the windscreen, making it easy to copy. Only the last five digits of a VIN differ, but a computer program can easily cycle through different possibilities to access other people’s Nissan Leaf cars.
“We elected for me to sit outside in a sunny environment while Scott was shivering in the cold to demonstrate just how remote you can be and still control feature of someone else’s car, literally from the other end of the earth,” blogged Hunt.
A video demonstrated how Hunt (sitting in Australia) was able to use the Nissan website or the Nissan app to adjust the car’s onboard climate control systems for Helme’s Nissan Leaf in the North of England. Helme sat in his car, without his keys, and watched as Hunt adjusted climate control systems, and also accessed his journey data.
This flaw is potentially serious for owners of electric cars, who tend to use the website or mobile app to “preheat” their car before a journey. If a hacker were able to access the air conditioning or heating system, they could potentially drain the electric car’s battery, stranding the owner in a particular location until he or she is able to recharge the car.
Hunt went public with the flaw after he gave Nissan a month to rectify it. He also discovered that some Canadian Leaf owners had discovered and shared knowledge of the flaw on an online forum.
A Nissan spokeswoman told the BBC that the car maker was not yet able to comment on the matter.
Last month General Motors (GM), which owns the Vauxhall, Chevrolet, and Cadillac brands, said it would allow hackers to report vulnerabilities in its vehicles without the threat of being charged by the company as part of its HackerOne program.
Last October, researchers at software security company Security Innovation reported that they were able to hack the radar scanner built in to some smart vehicles, making it think that obstacles or pedestrians are in the road and possibly sending it swerving without warning.
Last September Fiat Chrysler ordered another major recall of some of its vehicles in the United States after more were found to be affected by a serious software vulnerability which could lead to them being attacked by cybercriminals.
Telsa has also patched a potentially serious flaw that allowed researchers to assume control of the vehicle. That hack however was only possible because the researchers had access to the inside of the car.
And prior to that BMW confirmed it had patched a serious security flaw that could have allowed hackers to seize control of some of its cars’ systems.
In the driving seat about connected cars? Take our quiz!