Scott Helme was sitting in his car on a rainy evening in England when something weird happened: His air conditioning and fans went on full blast. What was weird about it was that Helme didn’t turn them on. Somebody sitting at his computer next to a swimming pool on a sunny Australian day did.
That somebody wasn’t just a random, malicious hacker, but security researcher Troy Hunt, who was taking advantage of a bug in an app designed to give owners of the Nissan LEAF, a popular electric car, the ability to control some of the car’s features from their smartphones.
Modern cars are starting to offers owners such comforts. But these apps sometimes can be buggy, and in the worst case scenarios, these bugs can sometimes let hackers take control of the car from thousands of miles away.
“Security cannot be an afterthought nor something we’re told [car manufacturers] take seriously after realizing that they didn’t take it seriously enough in the first place.”
While this bug doesn’t allow hackers take control of the car’s engine from afar, as two researchers famously did with a Wired reporter last summer, this is another sign that internet-connected car manufacturers still fail to take security seriously, potentially leaving their vehicles at the mercy of hackers.
“Fortunately, the Nissan LEAF doesn't have features like remote unlock or remote start, like some vehicles from other manufacturers do, because that would be a disaster with what's been uncovered,” Helme said in a blog post written by Hunt. “Being able to remotely turn on the AC for a car might not seem like a problem, but this could put a significant drain on the battery over a period of time as the attacker can keep activating it.”
A student in a workshop led by Hunt in Norway found that his NissanConnect EV app was vulnerable last month. The following day, Hunt contacted Nissan. And while the company was very responsive, according to Hunt, it has yet to fix the bug, more than a month later.
On Wednesday, Hunt published a blog post detailing the vulnerability and his research. For Hunt, there was no reason to wait to disclose the bug publicly, given that other people around the world have discovered it, and are openly discussing it in online. The researcher decided he had to publish his student's finding in the hopes that owners of the car will uninstall the app while they wait for a patch.
All a hacker needs to mess with a Nissan LEAF owner is the car’s unique identifier, or Vehicle Identification Numbers (VIN). The VIN is usually displayed on a car’s windshield, but through the app’s API, hackers can easily guess the VINs, and mess with random cars around the world, according to Hunt.
The problem is that the API doesn’t check who’s querying it, allowing anyone to pull data from it, and send commands to the car as if they were the real owners. Due to this bug, anyone can also pull the victim’s trip history, which includes dates, distance travelled, and battery consumption, but no GPS coordinates, according to Hunt.
A Nissan spokesperson said that the company is "aware of a data issue" in the NissanConnect EV app, but downplayed it saying "it has no effect whatsoever on the vehicle's operation or safety."
The spokesperson also said Nissan is "currently working on a permanent and robust solution," but didn't provide a timeline for the fix, only saying that Nissan is "confident that it will be very soon, but we don’t want to set a date."
For Hunt, these issues, while not life-threatening, show that car manufacturers still have a long way to go when it comes to making internet-connected vehicles secure.
“As car manufacturers rush towards joining in the ‘internet of things’ craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place,” Hunt concluded.
This story has been updated to include Nissan's response.