We may earn revenue from the products available on this page and participate in affiliate programs. Learn more ›
Nissan Leaf drivers, beware. If you climb into your compact electric car one morning to find that the heat has been cranked up to “sauna” or your battery has barely enough power left to charge your iPhone, your car may have been hacked.
According to online security consultant Troy Hunt, hacking the Leaf is so easy even your grandmother could do it. All a mischief-maker needs is the NissanConnect EV app, which is free to download, and access to the car’s VIN number—which is etched on the windshield, plain to see if the car is parked outside. Anyone with a smartphone and 30 seconds to copy a Leaf’s VIN could then see the car’s state of charge on the app or fiddle with the climate control system. More enterprising hackers could dive into the app’s programming using a web browser to see where the Leaf in question has traveled. The flaw isn’t considered a major security risk because the hack doesn’t allow malicious users to control a car’s steering, accelerator, or brakes, nor adjust the climate while the car is in motion.
“To be honest, a fix would not be hard to do,” Hunt told the BBC. “It’s not that they have done authorisation [on the app] badly, they just haven’t done it at all, which is bizarre.”
Hunt said he learned about the flaw more than a month ago and reached out to Nissan on January 23, but only chose to make his findings public after discovering that knowledge of the app’s problems had been discovered by a group of Canadian Leaf owners. Nissan, in response, announced one day later that it would be deactivating the NissanConnect EV app while they worked on a fix; however, Maple Leafers have mentioned on Hunt’s website that the problem still seems to exist in The Great White North.