And this isn’t just some minor fault on the part of Nissan; it represents a spectacular failure of Nissan’s security protocols (or lack thereof) used in the NissanConnect EV app to connect with Leaf EVs via the Internet. “This API thing is just nuts. It's not even like they just missed auth or didn't check, it's actually not implemented,” writes Helme. “It was built, intentionally, without security.”
Hunt and Helme were able to access data (data is only accessible if the Nissan Leaf is “off”) on any Leaf that is registered through NissanConnect using just the vehicle’s VIN. That’s right, we're talking about the VIN that is readily visible at the base of the windshield of every vehicle. So unscrupulous hackers could easily copy down the VIN from a Leaf and observe or change any number of vehicle settings, including:
- Check state of battery charge
- Start charging
- Check when battery charge will complete
- See estimated driving range
- Turn on or off the climate control system
And even if you don’t have “eyes on” a Leaf to get its VIN, each vehicle shares the same prefix of SJNFAAZE0U60, with only the last five characters (not shown here of course) positively identifying each vehicle.
As you can see by the video below, once a valid VIN was obtained, it was a rather trivial process to actually adjust vehicle settings like turning on the heated steering wheel, heated seats or even the air conditioning. That last setting is rather important, as turning on a vehicle’s A/C while the vehicle is parked and unattended has the potential to drain a vehicle’s battery without the rightful owner even suspecting anything. So a driver could have his or or her EV parked at work, and come out of a full day on the job to find the vehicle’s battery exhausted. So much for making the trek back home before dinner…
And that’s not all, with Helme describing:
The other main concern here is that the telematics system in the car is leaking *all* of my historic driving data. That's the details of every trip I've ever made in the car including when I made it, how far I drove and even how efficiently I drove. This could easily be used to build up a profile of my driving habits, considering it goes back almost 2 years, and predict when I will be away from home. This kind of data should be collected and secured with the utmost respect for my privacy.
Hunt first contacted Nissan about the vulnerability on January 23rd, and talked to the company via phone on January 30th. However, as of today, Nissan still hasn’t released a fix for the issue, so Hunt decided to go public with his findings.