Nissan Leaf Security Flaw Puts Vehicle Telematics Apps Under Scrutiny

February 25, 2016

Drive away from the showroom in one of the more technology-forward new vehicles—or really now, nearly anything with a luxury badge—and it’s likely you at least have the option to bring some key vehicle functions with you nearly everywhere you go: in the form of an app for your iOS or Android handset.

And while these apps may be a tremendous help when it comes to tasks like unlocking your car remotely, getting roadside assistance, remembering where you parked, checking in on your battery charge or fuel tank, or priming the climate control on a cold winter day, they can represent potential windows of opportunity if automakers aren’t extremely mindful of security.

ALSO SEE: 2016 Chevy Silverado, GMC Sierra Get MPG-Boosting Mild-Hybrid Tech

That’s been underscored this week, as an Australian cybersecurity expert, Troy Hunt, showed that hackers could hijack some of the telematics-based systems in the Nissan Leaf—such as its climate control and journey data.

Hunt did acknowledge that the issue itself wasn’t directly life-threatening. However the climate-control flaw could potentially be used to tamper with a known car—running its battery down while parked, for instance—the trip-data flaw is the more serious one, from a privacy standpoint.

Nissan did the right thing

He recommended that the right thing for Nissan to do in this situation was to turn it off. And that’s exactly what the automaker did this past day—effectively disabling the app’s functions by making the server unavailable.

2011 Nissan Leaf Carwings

2011 Nissan Leaf Carwings

Enlarge Photo

Nissan clarified to us that Leaf models in the U.S. and abroad are affected by the issue, as are eNV200 vans sold overseas.

CHECK OUT: Volkswagen Dieselgate Update: Judge Sets March Deadline For Repair Plan, EPA Asks For EVs, More

And the automaker made the following statement:

The NissanConnect EV app (formerly called CarWings and is used for the Nissan LEAF) is currently unavailable. This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.

No other critical driving elements of the Nissan LEAF are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle. We apologize for the disappointment caused to our Nissan LEAF customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.

We're looking forward to launching updated versions of our apps very soon.

That said, there’s clearly a lot that automakers are missing. Two researchers, Charlie Miller and Chris Valasak, in 2014 found that most vehicle control systems weren’t designed with security as a top priority and could be compromised remotely. Cellular-based apps were one of the potential ways in which an intruder might access vehicle functions—although most were still behind keys, checksums, and multi-level cryptography.

2017
The Car Connection
See the winners »
2017
The Car Connection
 
The Car Connection Daily Headlines
I agree to receive emails from the site. I can withdraw my consent at any time by unsubscribing.
Thank you! Please check your email for confirmation.
Ratings and Reviews
Rate and review your car for The Car Connection
Review your car