CATEGORIES
home News

Internet-Connected Nissan Leaf EV At Risk From Hackers Due To Insecure APIs

by Brandon HillWednesday, February 24, 2016, 02:44 PM EDT

nissan leaf
If you own a Nissan Leaf electric vehicle, you might want to take note of research conducted by Troy Hunt. More specifically, Hunt and fellow researcher Scott Helme were able to demonstrate that certain vehicle functions can be turned on and off remotely thanks to open and unauthenticated APIs that Nissan is using for its NissanConnect services.

And this isn’t just some minor fault on the part of Nissan; it represents a spectacular failure of Nissan’s security protocols (or lack thereof) used in the NissanConnect EV app to connect with Leaf EVs via the Internet. “This API thing is just nuts. It's not even like they just missed auth or didn't check, it's actually not implemented,” writes Helme. “It was built, intentionally, without security.”

Hunt and Helme were able to access data (data is only accessible if the Nissan Leaf is “off”) on any Leaf that is registered through NissanConnect using just the vehicle’s VIN. That’s right, we're talking about the VIN that is readily visible at the base of the windshield of every vehicle. So unscrupulous hackers could easily copy down the VIN from a Leaf and observe or change any number of vehicle settings, including:

  • Check state of battery charge
  • Start charging
  • Check when battery charge will complete
  • See estimated driving range
  • Turn on or off the climate control system

And even if you don’t have “eyes on” a Leaf to get its VIN, each vehicle shares the same prefix of SJNFAAZE0U60, with only the last five characters (not shown here of course) positively identifying each vehicle.

As you can see by the video below, once a valid VIN was obtained, it was a rather trivial process to actually adjust vehicle settings like turning on the heated steering wheel, heated seats or even the air conditioning. That last setting is rather important, as turning on a vehicle’s A/C while the vehicle is parked and unattended has the potential to drain a vehicle’s battery without the rightful owner even suspecting anything. So a driver could have his or or her EV parked at work, and come out of a full day on the job to find the vehicle’s battery exhausted. So much for making the trek back home before dinner…

And that’s not all, with Helme describing:

The other main concern here is that the telematics system in the car is leaking *all* of my historic driving data. That's the details of every trip I've ever made in the car including when I made it, how far I drove and even how efficiently I drove. This could easily be used to build up a profile of my driving habits, considering it goes back almost 2 years, and predict when I will be away from home. This kind of data should be collected and secured with the utmost respect for my privacy.

Hunt first contacted Nissan about the vulnerability on January 23rd, and talked to the company via phone on January 30th. However, as of today, Nissan still hasn’t released a fix for the issue, so Hunt decided to go public with his findings.

Tags:  security, Internet, Nissan Leaf, nissanconnect
Brandon Hill

Brandon Hill

Brandon received his first PC, an IBM Aptiva 310, in 1994 and hasn’t looked back since. He cut his teeth on computer building/repair working at a mom and pop computer shop as a plucky teen in the mid 90s and went on to join AnandTech as the Senior News Editor in 1999. Brandon would later help to form DailyTech where he served as Editor-in-Chief from 2008 until 2014. Brandon is a tech geek at heart, and family members always know where to turn when they need free tech support. When he isn’t writing about the tech hardware or studying up on the latest in mobile gadgets, you’ll find him browsing forums that cater to his long-running passion: automobiles.

Opinions and content posted by HotHardware contributors are their own.

TOP STORIES
Which New GPU Is For You?
More Results
KEEP INFORMED

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2026 Hot Hardware Inc, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment