Nissan Disables App, Citing Security Risk

Nissan Motor Co. has disabled an app for its Leaf electric sedan after being advised the software could allow its user to hack into other Leafs and steal data from them.

The NissanConnect EV is designed to allow Leaf owner to use their smartphones to adjust their cars’ heating and cooling systems remotely. But Australian researcher Troy Hunt discovered the app can access any Leaf simply by inputting the other vehicle’s identification number. He points out hackers also could guess VINs until a Leaf responds.

Once in control, the hacker could access the targeted car’s travel history and location, interfere with its charging and maliciously turn on its air-conditioning system overnight to drain the battery. Hunt notes that gaining a history of the car’s movements could be used to locate its owner's home.

The Nissan app was not designed to remotely unlock doors or activate the car’s electric motor and cannot be hacked into doing so, he points out.

Hunt reports on his blog that the Nissan app has virtually no built-in security. He reported the flaw to Nissan in late January. Nissan tells Automotive News it will offer an updated version of the app soon.