An Australian security researcher has hacked into an app used by Nissan Leaf drivers to control parts of the car remotely. The flaw also exposed data recording recent journeys made by the vehicles.
The problem was identified in Nissan’s CarWings app, which allows users to manage several of its functions remotely from a computer or smartphone. The account can be disabled by users. The flaw does not allow a hacker to control the vehicle itself, but allows certain functions such as the climate control to be tampered with. A hacker would only need the Vehicle Identification Number (VIN), which is visible on the windscreen, to exploit the vulnerability. This may cause problems for the Leaf, an all-electric vehicle, because of the potential for the battery to be discharged by hackers turning on power-draining features whilst users are away from the vehicle.
The reports come after flaws were exposed in other car manufacturers’ products, including reports in 2015 of hackers remotely killing a Jeep whilst it was being driven. To date Nissan has sold over 200,000 Leafs, and whilst users may be concerned at the reports, no safety risk has been identified. However, poor security has led some to comment that, whilst the problems may be minor, they are indicative of the attitude of many companies, in which security is prioritised only when things go wrong.