Nissan disables app in its EV Leaf over security concerns

Nissan yesterday disabled an app that allowed owners of its electric Leaf car to control their cars' heating and cooling from their phones, after an Australian researcher said it could be used to control others' cars as well.

The NissanConnect EV app, formerly called CarWings, allowed a remote hacker to access the Leaf's temperature controls and review its driving record, merely by knowing the car's VIN (vehicle identification number).

In a blog post computer security researcher Troy Hunt, explained how he discovered the flaw and initially reported it to Nissan on 23 January. He contacted the company several times and only posted his blog after discussion on the issue started on security forums online, he wrote.

In an email to USA Today, the company's Steve Yaeger said, the issues relating to the app had "no effect whatsoever on the vehicle's operation or safety."

The company said in a statement, "our 200,000 Leaf drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle."

The company said it was looking forward to launching an updated version of its app "very soon."

The initial characters of a Vin refer to its brand, make of car, and country of manufacture / location of the firm's headquarters.

According to Hunt only the final numbers would vary between different Nissan Leafs based in the same region.

"Normally it's only the last five digits that differ," he explained.

"There's nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one.

"They would then get a response that would confirm which vehicles exist."