Nissan’s telematics system in the Leaf electric vehicle (EV) has a nasty security hole that allows hackers to remotely turn on the climate control, check your battery levels and see your trip details. The flaw, discovered by security researcher Troy Hunt, is in the API used by the NissanConnect EV app for smartphones, which is exclusive to the Nissan Leaf.
The NissanConnect app lets users remotely access vehicle features, but does so without a user authentication token. The app simply sends an unencrypted vehicle identification number (VIN) to Nissan’s servers, which then sends commands to the car.
These commands are all accessible by a URL that includes the VIN and the specific command you want to send, which lets anyone control your Leaf from anywhere in the world, as long as they know your VIN.
While VINs are unique to each car, most also share the same basic info, like make, model, build location and other options. The last five digits of a VIN is unique to each car, but it’s quite easy to deduce considering that it reflects a sequential production count.
Anyone who has the base VIN can start guessing numbers and eventually reach a Leaf with NissanConnect EV active without too much effort. You can Google ‘Nissan Leaf VIN’ and find a couple through image search, too.
What does this mean for owners?
I own a Nissan Leaf, and while it may seem like only a minor inconvenience that someone may remotely trigger my climate control, it can actually mean the difference of reaching the next charging station, or being stranded and needing a tow.
Nissan Leaf’s in North America automatically shut off the climate control after 15 minutes of being on without being plugged in, but there’s no limit as to how often you can send the command to activate it.
The climate control system in the Leaf is one of its hungrier features in terms of power consumption, which can reduce driving range by 5-10 miles during normal driving, depending on weather conditions. Using this hack, the Leaf’s battery can be completely drained during a normal work day.
I’ve driven my Nissan Leaf to the limits and required a tow once. The car will give you plenty of warning before it can no longer move on its own, but sometimes there isn’t a public charging station nearby. My first and only tow was a mile from my house. At that point, I had exhausted all possible energy-savings measures, like shutting off climate control in the middle of a freezing winter, turning off the navigation and everything, hoping to make it home.
Granted, this could’ve all been prevented if I hadn’t been stubborn and sped past a quick charger on the way home. I can live with taking the blame for a lesson learned, but if I couldn’t make it home because someone exploited a security hole in Nissan’s API, I would be livid.
There’s also the privacy issue that lets hackers access your driving history, which is my biggest concern. Imagine you have a consistent schedule, you wake up and go to work at the same hours each day. Instead of scouting out the place to burgle, they can find the VIN number for your Leaf, pull the history and see exactly when you aren’t home. I should probably stop giving hackers more ideas.
Call me paranoid, but all of this is possible with the lack of security in NissanConnect EV.
Has Nissan done anything about it?
Since the news of the exploit broke yesterday, Nissan completely shut off access to its servers from the NissanConnect EV app. I tried logging in via the Android app and received an error stating that “the service cannot be provided.”
However, I was able to access NissanConnect EV using the web portal from my PC. Unlike the app, it relies on a secure connection, which still lets me get a status update on the car battery and activate the climate control.
Here’s what you need to do right now
There are a couple of things you can do to protect yourself from this hack. The most obvious is to enable text or email notifications from NissanConnect EV to see every instance of when the climate control is successfully turned on.
If you want greater protection from this potential hack, you can opt out of NissanConnect EV services altogether. To do this, log into the Nissan owner’s portal, choose ‘Edit vehicle,’ then ‘decline’ the NissanConnect EV agreement to remove all telematics features.
The last option, while more extreme, disables the entire navigation and infotainment system. However, if you’re still not satisfied, you can pop the hood, open up the fuse box and yank out the one labeled ‘audio.’ Doing so cuts power completely to the infotainment system and the telematics communications module.