By Cameron Abbott and Meg Aitken
Lock you doors…oh wait, that won’t protect you. Australian security researchers, Troy Hunt and Scott Helme have exposed a security flaw in Nissan’s Connect app which allows certain features of the manufacturer’s best-selling electric car, the ‘LEAF’, to literally be controlled by someone else on the other side of the world.
Hunt and Helme recently discovered that the app did not require any owner identification information in order to link with and control LEAF cars. All that was required was the Vehicle Identification Number (VIN), which is conveniently displayed on the chassis of the vehicle.
OK, so hackers couldn’t actually steer the car, but they could command the climate control and telematics to access driving data about trip durations, raising privacy concerns. Further, given that the LEAF is an electric powered vehicle, being able to access the climate controls could potentially allow a hacker to drain the battery and leave a driver stranded.
Car companies are racing to embrace the internet of things, and privacy and security seems to be taking a back seat. While there is no doubt that connected car technology boasts exciting functionality for drivers, it is not without road bumps, and we are once again reminded of the dangerous potential presented by interconnected devices. With a bit of luck, Nissan’s scare will see the automotive industry get in the driver’s seat towards developing a better appreciation of the risks associated with these devices and how they can be mitigated.
Nissan has now reportedly disabled the NissanConnect app and plans to release a new version once these security concerns are rectified. According to Hunt’s blog post, it took Nissan more than a month to take the app offline after he reported the security vulnerabilities.
Read Troy Hunt’s blog post on the discovery here.