NISSAN Australia has pulled the plug connecting its Leaf electric car to owners’ smartphones, after hackers used the system to break into the world’s best-selling electric car and toy with its settings.
Nissan told Wheels its app, which among other things allows owners to remotely warm up or cool down their vehicle via a smartphone app, was “currently unavailable” after it was taken down today in response to the hack.
Troy Hunt, an Australian security researcher, was able to send data to a friend’s car parked more than 15,000 kilometres away and play with the air-conditioning system and seat warmers via the car’s connection to the UK’s mobile phone network – all from a laptop’s browser window while seated beside his pool in Queensland. The owner did not even need to be in the car.
Working out how to hack into the Leaf – which Hunt emphasised did not allow a hacker to take complete control of the vehicle in the way that US hackers were able to play with the brakes, throttle and even the steering of a Jeep Cherokee in the US last year – took less than an hour.
“When I ran a workshop for software developers in Norway last month there was a bloke there who, using some of the things we’d learned during the day about how mobile phones talk to services such as Nissan’s, managed to find that the only thing that he needed to know in order to access information about the vehicle’s status and the climate control features was the VIN,” Hunt told Wheels.
“I ran this workshop, the guy had one hour of training, and he figured it out. So it is not that I showed some secret ninja tricks or something like that.
“He managed to find that the only thing that he needed to know in order to access information about the vehicle’s status and the climate control features was the VIN.”
Not even the whole Vehicle Identification Number – a string of numbers and letters unique to each car. Instead, Hunt found that only the last five digits of the VIN – clearly visible in a corner of the Leaf’s windscreen – were needed to make the hack work.
Think that’s bad? He was even able to look through the car’s entire travel history. Hunt said he was not able to see any GPS details in the data, which would easily have allowed a hacker to work out where the car was located, but he could get a sense of where it had been.
“What we do have is, as far as we can tell, the entire history of the vehicle on a day-by-day basis, how many trips were done, and then for each one of those trips, what time was it and what distance was it,” he said.
“So if you start to look at the data in the aggregate you can say this person always takes a short drive at this time of week, and then they do this, and then they do that, and you could then establish usage patterns as well.
“Now, if you did take the VIN and do something like a rego check in whatever part of the world they’re in and then match that back to identities, you can start to get a pretty good idea of who owns it, where they’re going, what they’re up to, what they’re movements are.”
This was not good from a privacy point of view, Hunt said.
According to Hunt, the Leaf’s vulnerability to a simple hack attack showed that, just as when other companies rushed to connect devices such as light bulbs and fridges to the Internet, online security was often taking a back seat.
“I guess cars are complicated as they are without throwing even more electronics into them,” he said. “So [smartphone app connectivity] is adding a huge amount of complexity.”