Security researcher discloses "profoundly trivial" hack involving Nissan Leaf electric vehicles

Shawn Knight

TechSpot Staff
Staff member

A couple of security researchers have disclosed a hack involving Nissan's Leaf that allows anyone with an Internet connection and a web browser to gather data and control certain aspects of the electric vehicle from anywhere in the world.

As renowned security researcher Troy Hunt recounts in the video above, a student in one of his security workshops discovered a way to gain access to Nissan's electric Leaf without using the company's mobile app. Further research confirmed the vulnerability that allows a user to retrieve data from a Leaf and control the HVAC system even if the car isn't on.

All that's needed to pull off the hack is a vehicle's VIN, or Vehicle Identification Number. These aren't exactly hard to come by as they're required by law to be displayed through the windshield of all vehicles. The first several characters are almost always the same for a particular make and model so all that changes is the last five digits.

Hunt says he made multiple attempts over the past month to get Nissan to resolve the matter with no luck which is why he has decided to go public with it.

The good news is that the hack isn't as "dangerous" as the Jeep hack disclosed last summer. The bad news? It's extremely easy to hack into the Leaf. Theoretically, someone could run the car's battery down by using the heater all day and night but more concerning are the privacy implications.

All things considered, Hunt said Nissan needs to fix this.

Permalink to story.

 

Technician

TS Addict
First he says from anywhere in the world, then he mentions but you need to look thru the windshield of the car. That's not easy if the car is on a different continent or even if the driver (Like me) has the VIN covered by a dash cover.
 

Skidmarksdeluxe

TS Evangelist
First he says from anywhere in the world, then he mentions but you need to look thru the windshield of the car. That's not easy if the car is on a different continent or even if the driver (Like me) has the VIN covered by a dash cover.
They can pull you over for obscuring your VIN... well they can over here anyway, but it's nothing that a little bribe won't rectify.
 

Kibaruk

TechSpot Paladin
First he says from anywhere in the world, then he mentions but you need to look thru the windshield of the car. That's not easy if the car is on a different continent or even if the driver (Like me) has the VIN covered by a dash cover.
Right, cause information over internet is just over your windshield... and it's extremely hard to randomly select the last 5 digits to just wreak random havoc
 

Per Hansson

TS Server Guru
Staff member
First he says from anywhere in the world, then he mentions but you need to look thru the windshield of the car. That's not easy if the car is on a different continent or even if the driver (Like me) has the VIN covered by a dash cover.
The VIN of a car can be easily found online, for example via a Carfax report.