Nissan Disables Leaf EV App Following Disclosure Of Embarrassing Security Lapses
If you've been skeptical of buying a connected car for fear that its technologies could be used against you, it won't help to learn that Nissan has suspended downloads of a companion app for its Leaf electric vehicle for that very reason. At issue is the woeful lack of security, and in particular the lack of authentication.
Here's the deal—the accompanying NissanConnect app, which Leaf owners can install on their smartphones and connect to their car, only looks for the car's VIN. Security researchers Troy Hunt and Scott Helme brought the attention to light yesterday when they published their findings in a blog post. Now a day later, Nissan has disabled the service.
"This API thing is just nuts. It's not even like they just missed auth or didn't check, it's actually not implemented. It was built, intentionally, without security," Helme wrote.
Nissan was informed of the security flaw a month ago but only took action after it became public. As far as Nissan is concerned, it doesn't present a safety issue because a hacker would only be able to mess with the Leaf's and eNV200's climate controls, not the driving functions.
"No other critical driving elements of the Nissan Leaf or eNV200 are affected, and our 200,000-plus LEAF and eNV200 drivers across the world can continue to use their cars safely and with total confidence," Nissan said.
"We apologize for the disappointment caused to our Nissan Leaf and eNV200 customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount."
While it's true that a hacker wouldn't be able to remotely disable the breaks or take control of steering, the ability to turn on the AC remotely could allow for a Leaf or eNV200 owner to return to a car with a dead battery after parking it for work. In addition, a hacker would be able to access a Leaf or eNV200 owner's historic driving data. That kind of information could be useful in figuring out when a person is going to be away from home.
Nissan said it's working on updated versions of its apps and hopes to release them soon.
Here's the deal—the accompanying NissanConnect app, which Leaf owners can install on their smartphones and connect to their car, only looks for the car's VIN. Security researchers Troy Hunt and Scott Helme brought the attention to light yesterday when they published their findings in a blog post. Now a day later, Nissan has disabled the service.
"This API thing is just nuts. It's not even like they just missed auth or didn't check, it's actually not implemented. It was built, intentionally, without security," Helme wrote.
Nissan was informed of the security flaw a month ago but only took action after it became public. As far as Nissan is concerned, it doesn't present a safety issue because a hacker would only be able to mess with the Leaf's and eNV200's climate controls, not the driving functions.
"No other critical driving elements of the Nissan Leaf or eNV200 are affected, and our 200,000-plus LEAF and eNV200 drivers across the world can continue to use their cars safely and with total confidence," Nissan said.
"We apologize for the disappointment caused to our Nissan Leaf and eNV200 customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount."
While it's true that a hacker wouldn't be able to remotely disable the breaks or take control of steering, the ability to turn on the AC remotely could allow for a Leaf or eNV200 owner to return to a car with a dead battery after parking it for work. In addition, a hacker would be able to access a Leaf or eNV200 owner's historic driving data. That kind of information could be useful in figuring out when a person is going to be away from home.
Nissan said it's working on updated versions of its apps and hopes to release them soon.
