Nissan Disables App that Let Hackers Drain the Battery on Its Electric Car

Nissan has pulled the plug on an app for its leaf electric car after researchers revealed the app could be abused by hackers.

On Wednesday, security researchers Troy Hunt and Scott Helme warned hackers could trivially exploit a bug in the NissanConnect EV app to download drivers' trip histories, and turn on and off the fans and air conditioning. Initially, Nissan only said it was "aware" of the issue and that it was working to fix it "soon."

But hours later, Nissan backpedaled, announcing that it was making the app "unavailable" after its own internal investigation confirmed the researchers findings.

"Our 200,000 Leaf drivers across the world can continue to use their cars safely and with total confidence," Nissan spokesperson Steve Yaeger said in a statement. "The only functions that are affected are those controlled via the mobile phone—all of which are still available to be used manually, as with any standard vehicle. We apologize for the disappointment caused to our Nissan Leaf customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount."

The app, which allowed drivers to check their car's battery status and their driving history, as well as regulate climate controls from their smartphones, can still be downloaded from app stores, but Nissan disabled the app's server and its platform web service, or API. (Drivers can still access the web app through a browser, according to Yaeger.)

Essentially Nissan made the app useless, according to Helme, who is also a Nissan Leaf owner.

Both Helme and Hunt applauded Nissan's decision.

"I think Nissan have now made the right decision. As an owner I'm aware of the inconvenience this causes but it's important that security takes priority," Helme told Motherboard in an email. "Hopefully Nissan will work to resolve this issue as quickly as possible and we can continue to enjoy a more secure connected vehicle in the future."

This is a good response from Nissan, it's the right way to handle it Troy HuntFebruary 25, 2016

In this case, the bug didn't allow hackers to take control of the driving wheel or any critical function of the car, but it could still have caused serious inconveniences. Hackers could have drained drivers' batteries while the car was parked just by cranking up the AC, or accessed their private driving history. All hackers needed to access these functions was the car's unique identifier, or vehicle identification number (VIN), which is usually displayed on a car's windshield. But it could have also been easily guessed with an automated script, according to the researchers.

This bug is also a good reminder that some car manufacturers still need to take security seriously, as they all join in the trend of connecting their vehicles to the internet.

Nissan announced it was disabling the app with a statement to reporters, as well as by posting the statement on a forum for electric car owners using an official account. While some owners were relieved to have an official confirmation of what was going on, others lamented the temporary demise of the app.

"I'm cheesed off with the timing," wrote a Leaf owner on the forum. "The one week where it's gonna be minus 2c when I need to get in my car at work all nice and warm, and the bloody preheat/timer thingy isn't working. Fecking [sic] brilliant. The one week where it's gonna be really cold and I have to get in a freezing car."