Nissan Disables Leaf EV App Following Disclosure Of Embarrassing Security Lapses
Here's the deal—the accompanying NissanConnect app, which Leaf owners can install on their smartphones and connect to their car, only looks for the car's VIN. Security researchers Troy Hunt and Scott Helme brought the attention to light yesterday when they published their findings in a blog post. Now a day later, Nissan has disabled the service.
"This API thing is just nuts. It's not even like they just missed auth or didn't check, it's actually not implemented. It was built, intentionally, without security," Helme wrote.
Nissan was informed of the security flaw a month ago but only took action after it became public. As far as Nissan is concerned, it doesn't present a safety issue because a hacker would only be able to mess with the Leaf's and eNV200's climate controls, not the driving functions.
"We apologize for the disappointment caused to our Nissan Leaf and eNV200 customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount."
While it's true that a hacker wouldn't be able to remotely disable the breaks or take control of steering, the ability to turn on the AC remotely could allow for a Leaf or eNV200 owner to return to a car with a dead battery after parking it for work. In addition, a hacker would be able to access a Leaf or eNV200 owner's historic driving data. That kind of information could be useful in figuring out when a person is going to be away from home.
Nissan said it's working on updated versions of its apps and hopes to release them soon.