A newly discovered vulnerability in Nissan Leaf's NissanConnect app isn't as catastrophic as one found in Chrysler's Uconnect system this past summer, but it still could impact drivers' personal privacy and security. Researcher Troy Hunt uncovered a bug in the companion app to the electric Nissan Leaf that could allow anyone to retrieve drivers’ trip histories, as well as mess with their vehicles’ heating and air conditioning systems. The hackers don’t have to be located anywhere near the affected vehicle, although if they have a specific person’s Nissan Leaf in mind for an attack, they'll have to know the Vehicle Identification Number, which is typically located on the front windshield.
Hunt and fellow security researcher Scott Helme exploited the vulnerability on Helme’s personal Leaf, the results of which can be seen in a YouTube video. They knew Helme's VIN, but in a real-world attack, a hacker could just automate guesses to try and gain access to vehicles around the world.
The NissanConnect app allows drivers to perform a variety of activities on their cars remotely, including turning their cars’ fans on and off. The car is warmed up in the winter and cooled down in the summer, all before the driver gets behind the wheel. But because the app doesn't authenticate who is carrying out these commands, the fans can be turned on by anyone with an internet connection.
Although the car isn’t vulnerable to being remotely controlled and doesn’t leak sensitive personally identifiable information, Helme did note that being able to turn the fans on and off could allow an attacker to run down a Leaf’s battery. He equated that battery drainage to starting the engine in a gas-operated car; people could end up stranded.
Recalling a person's driving history presents privacy and security issues
Recalling a person's driving history presents privacy and security issues, too. The attacker can view details of the driver’s trips and use them to determine when he or she might be out of the house again. "This could easily be used to build up a profile of my driving habits, considering it goes back almost two years, and predict when I will be away from home," Helme wrote in Hunt’s blog post.
A spokesperson for Nissan told Motherboard that it was currently looking into a fix but that the vulnerability also has "no effect whatsoever on the vehicle’s operation or safety." Hunt waited more than four weeks after notifying Nissan to publicly disclose the bug.