The world's bestselling electric car, the Nissan Leaf, is easily 'hackable' remotely using just a web browser. What was demonstrated to be the scope of the hack in this case probably won't give most people sleepless nights - Nissan doesn't think there is a safety risk - but it is nonetheless concerning that people can look at your Leaf trip data and adjust certain systems in your car with such ease. The issue seems to stem from the NissanConnect app, which gives owners various information about their cars and control over such tings as the air conditioner and heating, simply based upon them knowing the car ID number, with no further authentication.
Security researcher Troy Hunt discovered that just by knowing a Nissan Leaf's unique Vehicle Identification Number (VIN) hackers could access the car's connected systems. This number is printed on a sticker in the windscreen on some models. The VIN consists of characters which indicate the brand, make and country of manufacture of a car and just the last five digits vary between different Nissan Leaf cars in any country. So obscuring your VIN in your windscreen isn't going to stop you being hacked if someone is simply malicious enough to do the following:
"There's nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one," according to Hunt. "They would then get a response that would confirm which vehicles exist."
As noted by one of Hunt's contacts in the UK, hacking to control an air conditioner, heater, or access travel logs doesn't seem too threatening but - someone could drain your battery while you were parked at work without a charge point, for example, preventing you from getting home. The privacy and security risk of someone being able to access all your journeys is also concerning.
Nissan has told the BBC that it is aware of the issue and is working on a solution. Hunt said he told Nissan about this hack a month ago. Please note that the car systems cannot currently be hacked when users are operating the car, Hunt added that unregistering the NissanConnect app prevents remote hacker attacks.