The Nissan Leaf, the Japanese automaker’s popular electric car, could fall prey to remote attacks by hackers, according to security researcher Troy Hunt. In response to Hunt’s discovery, Nissan has temporarily pulled the app that Leaf owners can use to control the car.
To use the app, owners only have to enter their car’s Vehicle Identification Number (VIN). Hunt found that with just that information, hackers could potentially obtain driving history data and tweak the car’s heating and air-conditioning controls. (The app does not, however, grant access to unlock a car or drive it remotely.) According to Hunt, the issue could easily be fixed if Nissan insisted on users providing additional information—aside from just the VIN, which can be found on a Leaf car’s windscreen—for authentication.
Due to this vulnerability, Hunt, who was based in Australia, managed to take over the climate controls of a Nissan Leaf located in the U.K. Hunt posted a video of the experiment, as seen below:
In a statement to the BBC, a Nissan spokeswoman said the company was revising its app to ensure drivers’ safety:
“Nissan is aware of a data issue relating to the NissanConnect EV app that impacts the climate control and state of charge functions. It has no effect whatsoever on the vehicle’s operation or safety. Our global technology and product teams are currently working on a permanent and robust solution. We are committed to resolving the issue as a matter of priority, ensuring that we deliver the best possible experience for our customers through the app now and in the future.”