A security researcher has exposed a security flaw in one of the world’s most popular cars, the Nissan Leaf. The exploit takes advantage of a vulnerability through the car’s own application to take control of the car’s functions and journey logs.
Australian security researcher Troy Hunt began his experiment by testing a Nissan Leaf belonging to a fellow security researcher in the UK. He was able to ascertain the VIN (vehicle identity number) easily enough and with it, Hunt was able to turn on the air conditioning and heating systems of the fully electric vehicle.
The vulnerability and the exploit are explained in Hunt’s blog here.
Fundamentally, the vulnerability exists due to unsecured mobile management APIs supplied by Nissan. This glaring vulnerability allows hackers to gain access to non-critical features such as battery charge management of the electric vehicle and climate control via the Nissan Leaf companion application, from anywhere in the world with a basic internet connection.
Somewhat alarmingly, the only piece of information that a malicious hacker would need to mess with a target’s climate control systems or peek into the vehicle’s travel journey logs is the VIN. The alphanumeric string can easily be found stenciled onto a car’s windscreen. Furthermore, hackers would not even need to use the application to run commands remotely. A web browser is all that’s required to initiate commands, the researchers discovered.
Through repeated testing, the researchers determined that the remote hack only worked when the Leaf was dormant and found that the exploit did not work while the car was in motion. However, the owner’s username could still be obtained due to the unsecured APIs, a security hole that could lead to the reveal of the target’s identity.
Speaking to the BBC, Hunt explained:
It’s not that they have done authorization [on the companion app] badly, they just haven’t done it at all, which is bizarre.
The entire video demonstrating the exploit can be seen below:
For its part, Nissan has claimed that it is aware of the vulnerability and that its security engineers are working on a “permanent and robust solution.” The carmaker added that the exploit does not have any effect on the vehicle’s motor functions or safety.
Featured image from Shutterstock.