Software Integrity Blog


Nissan Leaf app flaw allows remote access

A security researcher disclosed on Wednesday that certain Nissan Leaf models can allow their heating and air-conditioning systems to be hijacked because of a flaw in its companion app. Security researcher Troy Hunt found that the NissanConnect app needed only the vehicle identification number (VIN) for any Nissan Leaf car to take control. However, he found that since the commands could also be sent via a web browser, one didn’t need the app to take control of the cars.

“It’s not that they have done authorisation [on the app] badly, they just haven’t done it at all, which is bizarre,” Hunt told the BBC.

When was the flaw reported?

According to the BBC, Hunt reported the flaw to Nissan more than a month ago. The company said it could not yet comment. At present a remote attacker could only, at worst, run down people’s batteries by turning on their air conditioning. This was not true if the car was in motion. Nonetheless, an attacker could see the registered owner’s name, as well as time and destination of recent trips.

The VIN code is usually engraved somewhere on a car’s windscreen. The initial characters of a VIN refer to the brand, make of car, and country of manufacture/location of the firm’s headquarters. So even without walking through a parking lot, one could find those numbers online. Only the final digits change between different Nissan Leafs based in the same region. “There’s nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one,” Hunt told the BBC. “They would then get a response that would confirm which vehicles exist.”


More by this author