Nissan disables its Leaf remote control app (update)
Any hacker could mess with your heating and spy on your driving data.
GM recently found out that connected cars can be vulnerable to online attacks, and now it's Nissan's turn. Security researcher Troy Hunt reports several parties have learned that the Leaf's climate control system is susceptible to attack through flaws in its companion app, which lets you remotely activate certain features. There's apparently no safety risk (it only works when you're parked), but an intruder abusing the code could turn on the climate system in any car -- provided they know the VIN -- from anywhere in the world. Imagine leaving work to find that your battery is dead, simply because a prankster ran the heating all day -- not very fun, is it?
There's also a privacy concern. Attackers could get the username for the CarWings account you need to register the app, which might give them a clue as to who you are.
Hunt reported the flaw to Nissan about a month ago, and the car builder tells the BBC that it's working on a "permanent and robust" fix for the problem. If you're worried, you can unregister the app to lock out any threats in the meantime. Even so, the exploit isn't very reassuring -- it's further evidence that vehicle makers of all stripes still have a lot to learn about internet security.
Update: USA Today reports that Nissan has disabled the NissanConnect EV app while it works on the security flaws. There's no word on when that's expected to be completed, but for now owners will just have to control their car's AC directly, from inside the car.
Update 2: We've received an official statement from Nissan; you can read the whole thing below.
"The NissanConnect EV app (formerly called CarWings and is used for the Nissan LEAF and eNV200) is currently unavailable.
"This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.
"No other critical driving elements of the Nissan LEAF or eNV200 are affected, and our 200,000-plus LEAF and eNV200 drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.
"We apologize for the disappointment caused to our Nissan LEAF and eNV200 customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.
"We're looking forward to launching updated versions of our apps very soon."
