Hackers Can Mess With Your Nissan Leaf From Anywhere in the World

The road to an all-electric, self-driving, interconnected transportation wonderland is going to have some speed bumps.

And boy, the Nissan Leaf just hit one. A digital security student discovered a bug in Nissan’s system that not only let him control features on his car remotely, in a way Nissan had not intended, but that he could connect to other people’s Nissan Leafs and mess with their cars. The bug allowed him to turn the fans on and off, tinker with other small features the companion smartphone app can control, as well as view other people’s driving information and data. The physical controls could conceivably drain the car’s battery, leaving drivers stranded.

The student immediately forwarded the glitch to his teacher, web security researcher and seminar instructor Troy Hunt, who teamed up with fellow researcher and Leaf owner Scott Helme to test the security gap on video.

The bug was relatively simple: a glitch in the app’s programming let users connect to their cars online, anonymously — that is, without verifying their identity as the owner of the car they were connecting to, outside of the Vehicle Identification Number. In other words, if you could get someone’s VIN, you could control (parts of) their car.

“Anyone could potentially enumerate VINs and control the physical function of any vehicles that responded. That’s was [sic] a very serious issue,” Hunt said in his blog post about the bug.

Hunt waited a considerable amount of time before making the bug public, giving Nissan time to put out a fix, which has yet to happen.

“I reported it to Nissan the day after we discovered this,” Hunt said in the post. “Yet as of today – 32 days later – the issue remains unresolved.”

When Hunt, who lives in Australia, tested out the bug with Helme, they found that Hunt could control the same features of Helme’s Leaf, parked in his driveway in Northern England, that he could his own, all through his internet browser.

Here’s the full test on video:

Still, Helme said, it could be worse.

“Fortunately, the Nissan LEAF doesn’t have features like remote unlock or remote start, like some vehicles from other manufacturers do, because that would be a disaster with what’s been uncovered,” Helme said in Hunt’s blog post.

Other interconnected vehicles, like OnStar equipped GM vehicles, have been exposed to far more dangerous flaws, including control of the engine. Hackers famously were able to remotely shut down a Jeep with a Wired reporter inside back in July, and the Nissan bug isn’t as severe. Still VIN numbers aren’t particularly difficult for a dedicated hacker to brute-force through and find, so it might be wise to keep an eye on your air vents for signs of illicit climate control.