The vulnerability has been disclosed by security researcher Troy Hunt in a blog post. According to the post, all a hacker needs to access the system is the Vehicle Identification Number (VIN) and the IP address associated to the vehicle. Both are relatively easy to obtain: The IP address through specific search engines and the VIN is even visible behind the vehicle’s windshield. Since only the last five digits of this number are different, it is even possible to have a computer trying out all VINs. Accessing the car remotely is greatly facilitated through the fact that Nissan’s remote interface does not require any kind of authentication from the hacker – not even a password or PIN code. With the method described in his blog post, Hunt succeeded to access a Nissan Leaf in England while he himself was sitting on his couch in Australia.
It is also possible to read out internal data of the vehicle such as charging level as well as date, time and distances driven lately. During this process, the hacked car was not even powered up.
Hunt claims he contacted Nissan earlier describing the problem and its potential for hacking attempts. Nissan was receptive, Hunt writes, but apparently the carmaker reacted rather slow so the security expert decided to go public with the problem. This time Nissan apparently reacted faster: After the blog post, the carmaker deactivated the function immediately.
Youtube video in which Hunt explains his approach: https://youtu.be/Nt33m7G_42Q