The talk around car hacks seems to be gaining momentum. Just recently, computer security researchers Troy Hunt and Scott Helme, discovered that Nissan’s Leaf car app can potentially be used to remotely hack any Nissan Leaf's in-car systems. According to Hunt’s findings, he was able to connect to a Leaf model remotely using Nissan’s mobile app.
Hunt, who figured out that the Leaf’s app interface (API) uses only the Vehicle Identification Number (VIN) to control car features remotely without passwords, also found that features such as the car’s current battery life, travel times and distances, and climate control can be hacked into as well. Fortunately, the Leaf does not have remote unlock features for its doors. However, a hacker could still easily turn on a Leaf’s heated seats or air conditioning from the opposite side of the world, draining the electric car's battery and leaving the owner sidelined.
Helme says, “if I was to monitor your movements over the course of the week, and learn when you go to and from work, shortly after you got to your office I could run the heating for the remainder of the day. That would potentially leave you with very little power, certainly not enough to get back home.” Hunt adds, “Attackers would not even need to use the app, since the commands could be sent via a web browser.”
Based on Hunt’s blog, he brought the security flaw to Nissan’s attention in January so that the company could address the issue. After multiple attempts to get a resolution, he ultimately decided to publicly disclose the flaw after a month after others discovered the problem and began discussing it online. In a YouTube video, Hunt, while in Australia, demonstrated with Helme in Norway how he is able to control the features on Helme’s Leaf. Hunt emphasizes, “We elected for me to sit outside a sunny environment whilst Scott was shivering in the cold to demonstrate just how remote you can be and still control someone else’s car, literally from the other end of the earth.”
While Hunt acknowledged that the flaw is not life-threatening, hackers could still exploit the app’s vulnerability and run down people’s batteries. It's certainly not the first time a car hack has been discovered. Last year, a notable car-jacking stunt demonstrated how a hacker with a 3G connection can connect to a Jeep Cherokee's infotainment system. Once connected, the vehicle's engine and brakes could be controlled remotely, and resulted in a recall of 1.4 million units. The increasing number of connected devices being used is expected to result in at least one smart device failure that could result in physical harm in 2016.