The Nissan Leaf electric car’s mobile management APIs may be faulty, and that may allow a hacker in another part of the world to hack and gain control over crucial features like battery charge management and access information, which may be crucial to the customer – this is what security researchers, Troy Hunt and Scott Helme have reported. This vulnerability in the API may allow anyone who has the knowledge of the car’s VIN to hack into it from any part of the internet.
Troy Hunt, after being reported of this vulnerability by another researcher who had attended a security workshop with him, tested it from the UK using an easily attainable VIN and found that he was able to gain control over the air conditioning and heating systems of his colleague’s car, on which it was tested. Hunt, who successfully performed this experiment, then uploaded a video of this hack of his.
Hunt supposedly exploited the NissanConnect app, which is used by the owners to check on certain important features of their cars, to gain access to the climate control of the car and fiddle with its heating systems. Since a security researcher was performing the hack, there wasn’t much to worry but; a hacker could easily make use of this very vulnerability to gain control over many of the car’s features, like data of the car’s recent journeys, and manipulate it to suit his malicious intents. Hunt, himself gave an instance of such a problem – “It’s much like being able to start the engine in a petrol run car to run the AC, it’s going to start consuming the fuel you have in the tank. If your car is parked on the drive overnight or at work for 10 hours and left running, you could have very little fuel left when you get back to it…. You’d be stranded.”
The hack is reportedly an extremely easy one to accomplish. All that you need to go through with it is the VIN, which is clearly displayed on the car’s windscreen.
Scott Helme, who assisted Hunt in his little experiment, provided details on how to prevent such a malicious hack from occurring. For customers who were worried about their vehicles, would just have to unregister themselves from the NissanConnect app to prevent access to the car’s features through a mobile service application, which can be accessed by many.
To disable ‘CarWings’, owners must log into the service from their browser, then select ‘Configuration’ and finally click the ‘Remove CarWings’ option to disable the access.
While Hunt did admit that the vulnerability wasn’t an extremely dangerous one, he still wanted Nissan to look into the problem, which is why he has warned them several times.