Drive away from the showroom in one of the more technology-forward new vehicles—or really now, nearly anything with a luxury badge—and it’s likely you at least have the option to bring some key vehicle functions with you nearly everywhere you go: in the form of an app for your iOS or Android handset.
And while these apps may be a tremendous help when it comes to tasks like unlocking your car remotely, getting roadside assistance, remembering where you parked, checking in on your battery charge or fuel tank, or priming the climate control on a cold winter day, they can represent potential windows of opportunity if automakers aren’t extremely mindful of security.
That’s been underscored this week, as an Australian cybersecurity expert, Troy Hunt, showed that hackers could hijack some of the telematics-based systems in the Nissan Leaf—such as its climate control and journey data.
Hunt did acknowledge that the issue itself wasn’t directly life-threatening. However the climate-control flaw could potentially be used to tamper with a known car—running its battery down while parked, for instance—the trip-data flaw is the more serious one, from a privacy standpoint.
Nissan did the right thing
He recommended that the right thing for Nissan to do in this situation was to turn it off. And that’s exactly what the automaker did this past day—effectively disabling the app’s functions by making the server unavailable.
2011 Nissan Leaf CarwingsEnlarge Photo
Nissan clarified to us that Leaf models in the U.S. and abroad are affected by the issue, as are eNV200 vans sold overseas.
And the automaker made the following statement:
The NissanConnect EV app (formerly called CarWings and is used for the Nissan LEAF) is currently unavailable. This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.
No other critical driving elements of the Nissan LEAF are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle. We apologize for the disappointment caused to our Nissan LEAF customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.
We're looking forward to launching updated versions of our apps very soon.
That said, there’s clearly a lot that automakers are missing. Two researchers, Charlie Miller and Chris Valasak, in 2014 found that most vehicle control systems weren’t designed with security as a top priority and could be compromised remotely. Cellular-based apps were one of the potential ways in which an intruder might access vehicle functions—although most were still behind keys, checksums, and multi-level cryptography.