A pair of security experts, Scott Helme and Troy Hunt, have released a video that shows that the Nissan Leaf can be hacked through the company’s remote management apps’ APIs. While there is no danger to drivers, it shows that there are vulnerabilities nonetheless.
Nissan Leaf hacked from 10,000 miles away
In the video released by the pair, it shows that one of the pair, Mr. Hunt, in Australia was able to manipulate the Nissan Leaf owned by a friend of his in the UK while Mr. Helme sat in that vehicle.
Having discovered the hack, Mr. Hunt contacted Nissan and gave the automaker 30 days to fix the problem before he went public with the information this week. Nissan, is apparently working on the problem, but chose not to comment when contracted by the BBC.
At the very worst, someone hacking your car could drain your battery through the use of the Nissan Leaf’s seat warmers or air conditioning. The vulnerabilities in the API for both Android and iOS mobile apps don’t seem to work when the car is in motion and again there is nothing even close to “disable brakes” written into either app.
“The right thing to do at the moment would be for Nissan to turn it off altogether,” Mr Hunt told the BBC.
“They are going to have to let customers know. And to be honest, a fix would not be hard to do.
“It’s not that they have done authorisation [on the app] badly, they just haven’t done it at all, which is bizarre.”
He also pointed out that Nissan Leaf owners can disable their Nissan CarWings account and disable remote access to their cars.
In order to gain access to the car through the apps, a potential hacker would need to have the car’s VIN number. Thing is, all Nissan Leafs have the VIN number “SJNFAAZE0U60” prefacing them and then five additional digits. While you need those digits, you can see them through the windshield of the Nissan Leaf so it’s right there for anyone interested.
Now hacking a Tesla is another animal
While this discovery hardly shows the danger in someone accessing your car, it shows a larger problem. If someone were to take control of your Tesla Model S while in “auto-pilot” mode, that could lead to a really bad day.
While I trust Tesla’s security is much greater than Nissan’s, it shows that makers of self-driving cars and other cars that are connected to the Internet will need to be very careful working forward into the future.
The Tesla Model S’ auto-pilot is upgraded via the internet when the company wishes to make improvements based on improvements to the system.
Nissan Leaf hack not completely harmless
“It’s not as bad as it could be,” Mr Helme told the BBC.
However, Helme pointed out that the hack allows the hacker to observe your movements and that’s certainly a bit creepy and as you’ll read, inconvenient.
“But if I was to monitor your movements over the course of the week and learn when you go to and from work, shortly after you got to your office I could run the heating for the remainder of the day,” said Helme.
“That would potentially leave you with very little power – certainly not enough to get back home.”
Following Nissan’s failure to fix the problem pointed out by Hunt or to inform the public, Hunt went public.
“I decided we were past the point of not letting the cat out of the bag,” he said.
“Unfortunately what we are seeing is just another case of security being important after a problem is discovered,” he added.