Nissan suspends NissanConnect EV smartphone app over serious hacking concerns

When all it takes is a browser and a VIN to gain access to someone else's vehicle functions, you know something is not quite right.

Nissan

It appears that the most nefarious deed one could commit with this hack is draining a random person's battery before they need to drive somewhere.

Photo by Nissan

Nissan has disabled its NissanConnect EV smartphone app, which allowed users some degree of control over their Leaf electric vehicles from their phones, after one security researcher discovered that he could send random commands to random Leafs with nothing more than a Web browser and knowledge of a vehicle identification number (VIN).

Popularized by security researcher Troy Hunt after remotely accessing a British Leaf from all the way in Australia and posting the results to YouTube, the security flaw is made possible because the connection between the remote user and the Leaf's systems was not authenticated. Thus, anyone with knowledge of how to send commands could do so, because Nissan's side didn't bother to determine that the commands were coming from verified sources.

For what it's worth, Hunt didn't immediately run to the internet after learning how to do this. Instead, he contacted Nissan and made the company aware of this flaw, and only after four weeks of waiting for something to happen did he go live with the results. Shortly after it was made public, Nissan shut down its app.

"The NissanConnect EV app (formerly called CarWings and is used for the Nissan LEAF and eNV200) is currently unavailable," the automaker said in a statement. "This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route." There is no word as to how soon a fix might be in place.

Even though the app is still down, Nissan owners can still access the company's Web portal to check on their vehicles and adjust settings, if need be. Our friend Benjamin Hunting at SlashGear also noted that, even though the app is offline, the exploit is still functional.