Security flaw disclosed: Nissan shuts down Leaf connectivity function

February 25, 2016 // By Christoph Hammerschmidt
A new case of vulnerability against hacking attacks startles users of connected cars: The NissanConnect EV interface designed to remotely read out condition data and control systems like air condition in Nissan models can be easily accessed and abused by unauthorised persons. Plus, the vehicle willingly transmits lots of internal data to those who dig just a little bit deeper into the vehicle’s electronics. Remotely, from any place in the world.

The vulnerability has been disclosed by security researcher Troy Hunt in a blog post. According to the post, all a hacker needs to access the system is the Vehicle Identification Number (VIN) and the IP address associated to the vehicle. Both are relatively easy to obtain: The IP address through specific search engines and the VIN is even visible behind the vehicle’s windshield. Since only the last five digits of this number are different, it is even possible to have a computer trying out all VINs. Accessing the car remotely is greatly facilitated through the fact that Nissan’s remote interface does not require any kind of authentication from the hacker – not even a password or PIN code. With the method described in his blog post, Hunt succeeded to access a Nissan Leaf in England while he himself was sitting on his couch in Australia.

It is also possible to read out internal data of the vehicle such as charging level as well as date, time and distances driven lately. During this process, the hacked car was not even powered up.

Hunt claims he contacted Nissan earlier describing the problem and its potential for hacking attempts. Nissan was receptive, Hunt writes, but apparently the carmaker reacted rather slow so the security expert decided to go public with the problem. This time Nissan apparently reacted faster: After the blog post, the carmaker deactivated the function immediately.

Related links:
Youtube video in which Hunt explains his approach:

Hunt’s blog post:

Security flaw in BMW's ConnectedDrive detected

Hackers take over a moving vehicle remotely

5 Best Practices for Securing the Connected Car