Nissan disables app for electric Leaf car amid hacking risks

Australian researcher finds loophole to control heating as well as accessing journey information
© Bloomberg

Listen to this article


Nissan has been forced to disable its smartphone app for drivers of its all-electric Leaf car after it was exposed as being vulnerable to hackers.

Troy Hunt, a prominent security researcher in Australia, found a way to access the app linked to the cars, allowing him to control heating and air conditioning in individual vehicles as well as accessing journey information.

Mr Hunt said he was unable to gain access to any of the driving functions of the car but told the FT: “I don’t know whether a determined adversary could access other components of the vehicle.”

Despite being informed of the vulnerability on January 23, Nissan only disabled the app at 2am GMT yesterday after Mr Hunt put details online.

Nissan said it was “working towards a robust solution from the moment we were alerted to this issue”.

More than 200,000 Leaf cars, which are assembled at the company’s Sunderland plant in the UK, have been sold since launching five years ago.

As cars become increasingly linked to the internet, there are rising concerns about cyber security.

Last year hackers found a way to access Jeeps remotely, gaining control of steering and braking as well as other functions.

Nissan insisted that it was not possible to access any of the driving functions from the app because steering and braking were not linked to the internet.

“The only functions that are affected are those controlled via the mobile phone — all of which are still available to be used manually, as with any standard vehicle,” the company said.

“Our drivers across the world can continue to use their cars safely and with total confidence. We’re looking forward to launching updated versions of our apps very soon.”

Mr Hunt said he could access heating controls, as well as anonymised journey details showing when the car had been switched on, as well as its battery level.

Once in, he said it would be easy to preset the heating to come on and drain the car’s battery remotely.

Mr Hunt said the level of security on the app was lower than he expected, and an employee in his workshop was able to gain access to a vehicle within 15 minutes. “The paradigm was never built in,” he said. He added that clearly they “never even decided to build any security at all into this — this I found quite striking”.

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't copy articles from and redistribute by email or post to the web.