Troy Hunt, a prominent security researcher, has exposed a flaw in the NissanConnect app which allows a remote user to access controls on Nissan Leafs (Leaves?) with only a Vehicle Identification Number (VIN).
Hunt was able to control several remote features on a Nissan Leaf by exploiting security flaws in the company’s phone app. Using the same process as the app, hackers can tamper with controls of a Nissan Leaf from just about any location.
By using his computer as a proxy between the internet and the app, the original hacker who discovered the flaw (not Hunt) was able to view the requests made from the app to Nissan’s servers. In doing so, this anonymous hacker was able to see that the Vehicle Identification Number (VIN) was being used to identify Leafs in these requests.
Furthermore, there is no security identification or authorization for the app.
By using only a Leaf’s VIN, the vehicle can be accessed and controlled remotely and, by law, VINs are typically etched in the window of every car.
When made aware of the flaw, Hunt took action. He made contact with colleague and fellow security researcher Scott Helme to create a demonstration. With Helme in the United Kingdom and Hunt in Australia, Hunt was able to control Helme’s Nissan Leaf from across the world. The trial was documented in the following video.
Hunt was able to access the vehicle and obtain private statistics that could potentially be used maliciously. Data regarding recent trips, distances of those trips, power usage, and the car’s charge state. Hunt was also able to access the Heating, Ventilating and Air Conditioning (HVAC) system and control the car’s AC and heating elements including the seat warmers. Basically, anything the app is programmed to access.
Australia-based Hunt is a security researcher and has been named a Most Valuable Professional for Developer Security by Microsoft. Hunt does not work for Microsoft but has received the title for his community contributions in the field. After contacting Nissan and finding the flaw unresolved after a month, Hunt finally decided to release his findings, which were already recognized by select Leaf owners worldwide.
Hunt disagrees and views the company’s “security through obscurity” as ineffective and has expressed that Nissan could easily discontinue the service until the flaws are fixed.
As of now, any Leaf owner who wishes to avoid potential cyber trouble can unregister their NissanConnect app and disable their Nissan CarWings account to prevent any unauthorized access.