A security researcher has warned of vulnerabilities in Nissan’s mobile app for Leaf owners.
Troy Hunt claims the company has failed to address security issues with the NissanConnect EV app, allowing hackers to remotely access and control some features by simply knowing a vehicle’s VIN.
The deficiency does not appear to have safety implications, though it could allow attackers to adjust the climate-control system, fiddle with the charging system or access private data such as driving history.
“Whilst it’s not specifically personally identifiable information such as the individual’s address, by the time you have a VIN which you know belongs to a LEAF registered within a specific country, it may not take too much effort to fill that gap,” Hunt wrote in a blog post.
The researcher claims to have notified Nissan months before going public with details of the exploit. If accurate, the report suggests Nissan failed to implement even basic security provisions to protect against such attacks.
“It’s not that they have done authorization [on the app] badly, they just haven’t done it at all, which is bizarre,” Hunt told BBC.
Nissan is aware of the vulnerability and is currently “working on a permanent and robust solution.” The company reaffirms that the issue has “no effect whatsoever on the vehicle’s operation or safety.”
Leave a Reply