NissanConnect EV app

Security researcher discovers flaw with the NissanConnect EV app during software workshop.

Nissan owners who want to remotely connect to their electric vehicles’ climate control systems are out of juice for the time being. Nissan has announced it has taken the NissanConnect EV app offline after a team of security researchers discovered a potentially serious flaw in the software’s security.

NissanConnect EV is an app that enables owners of the company’s Leaf and e-NV200 van models to gain remote access to climate control systems, such as the air-conditioning and heated seating. The app also allows users to access such functions as battery charging. It does not provide access to driving elements, but the potential for identity theft and performance tampering attached to the hack was enough to prompt Nissan to pull the app until its security measures could be improved.

Security researchers Troy Hunt and Scott Helme discovered the flaw during a recent software workshop in Oslo. A workshop attendee took Hunt’s advice to “hack himself first” and found he was able to connect to his own Leaf over the Internet and control its features independently of what Nissan had intended, Hunt wrote on his blog. Most alarming, he discovered he could “control other people’s Leafs,” Hunt wrote, because access only required a Vehicle Identification Number (VIN).

You Might Also EnjoyMore than Half of Americans Feel Satisfied with their Job Security

Hunt and Helme were able to replicate the hack using Helme’s own Leaf. Of particular concern was the fact the hack enabled access to the owner’s username, which could ultimately reveal identity. “Whilst it’s not specifically personally identifiable information such as the individual’s address, by the time you have a VIN which you know belongs to a Leaf registered within it specific country, it may not take too much effort to fill in the gap,” Hunt said as reported in Wired.

Since VINs only differ by five to six digits, the relative ease with which others could access the program was also troubling to Hunt. “Anyone could potentially enumerate VINs and control the physical function of any vehicles that responded,” Hunt explained on his blog. This hack had the potential to leave motorists stranded since the app could allow air conditioning to remain running to drain a battery or even allow a hacker to stop a charge in its tracks. Realizing the potential for damage, Hunt contacted Nissan.

Nissan announced in late February NissanConnect was going offline to address the concerns. How soon a more security-conscious version of the app might be made available to Leaf and e-NV200 owners remains unclear. Hunt hopes the reboot will enable Nissan to return to market with an app that “ensures vehicle features and driving history are only accessible via the authorized owner of the car,” The Christian Science Monitor quoted him as saying.

Get Free Updates!

Stay in the loop with a bi-monthly newsletter, with all our news from the previous week.

I agree to have my personal information transfered to MailChimp ( more information )

We will never give away, trade or sell your email address. You can unsubscribe at any time.

Please Leave A Comment

comments

Related posts:

Marketing Software Demand Underscored by Marin Software, Inc. IPO Success Default ThumbnailHackers May Have Stolen $1 Billion from 100 Banks Worldwide Free Data Visualization Tool Offered to Students by Tableau Software Business Intelligence Software Addresses Critical Industry Need Apple iPhone SecurityApple Balks at Order to Unlock San Bernardino Shooter’s iPhone