Security developer discovers hackers can control your Nissan Leaf remotely

At some of the latest electronics and auto shows, the public has been exposed to plenty of connected car features that bring drivers a new level of comfort and convenience. However, with any connected device, such as baby monitors and home security systems with the IoT, there is room for hackers to infiltrate.

Recently, an Australian security developer named Troy Hunt, whose work is regarded highly by Microsoft (he is considered a  Microsoft Most Valuable Professional), discovered that the Nissan Leaf could be hacked into and taken over via Internet.

Hunt discovered this while running a “Hack Yourself First” workshop for software developers to stay relevant on the latest things they should do to protect their apps against cyber threats. During the workshop, an attendee determined that he could hack into his own Nissan Leaf vehicles and control its features, as well as take over other people’s Leafs.

Hunt was inspired to look into the hack and decided he would hack into his friend’s Nissan Leaf. The pair successfully hacked not only the vehicle in question, but also other Leafs using the car’s VIN number, retrieving information like recent trips, power usage, and even manipulating the vehicle’s climate controls.

At the end of January, Hunt sent the full details of the findings to Nissan Information Security Threat Intelligence in the U.S.A. While Hunt says that Nissan handled the situation very well and was easily accessible, he does admit that Nissan asked him to hold off on publishing this information:

“I did hear back with a request to wait “a few weeks” before publishing, but given the extensive online discussions in public forums and the more than one-month lead time there’d already been, I advised I’d be publishing later that night and have not heard back since. I also invited Nissan to make any comments they’d like to include in this post when I contacted them on 20 Feb or provide any feedback on why they might not consider this a risk. However, there was nothing to that effect when I heard back from them earlier today, but I’ll gladly add an update later on if they’d like to contribute.”

Shortly after publishing, Hunt heard back from Nissan. The company disabled the app that allows users to control aspects of their Leaf from their cellphone, but Hunt is still receiving feedback from followers mentioning that Canadian resources are still accessible using only the VIN.

Read the entire blog post on Hunt’s website, which documents the specifics of the hacks, along with updates.

Also, have a look at Hunt’s video documenting the hack.