Skip advert
Advertisement

Nissan Leaf hack: the facts

Some of the features of the Nissan Leaf could be hacked, according to an expert. Here’s what you need to know

A cybersecurity expert has found a way to remotely control a Nissan Leaf – the world’s most popular electric vehicle. The vulnerability, discovered by Troy Hunt, allows anyone access to the air-conditioning and heating systems of the car and even gives access to its journey history. However, unlike other recent car hacks, this will not allow the Leaf to be driven remotely.

Advertisement - Article continues below

According to Hunt, the hack was carried out through Nissan’s ‘Connect EV’ app and allowed him to take control of others’ Leafs from the other side of the world.

How does it work?

Like many other electric vehicles, the Nissan Leaf uses an app to display your driving habits, battery charge level and general eco-friendliness – but it also allows for ‘pre-conditioning’. Simply put, this means you can control elements of the car remotely while it’s charging. For example, you can warm up the interior while the car’s still charging, saving precious battery life for driving.

Worryingly, Hunt says he gained access to these functions through the Nissan app using only the VIN (Vehicle Identification Number) from a Leaf. "It's not that they have done authorisation [on the app] badly, they just haven't done it at all, which is bizarre,” Hunt told the BBC.

Skip advert
Advertisement
Skip advert
Advertisement - Article continues below

The first few characters of a car's VIN refer to the brand, model and country of origin, so only the last few numbers set each Leaf apart. "Normally, it's only the last five digits that differ," Hunt told the BBC. "There's nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air-conditioning on in every one.”

Advertisement - Article continues below

In a video, Troy Hunt is shown remotely controlling his friend’s UK-based Leaf using his laptop over the internet. The owner, Scott Helme, also a cybersecurity expert, told the BBC: "The heated seat then turned on, the heated steering wheel turned on. And I could hear the fans spin up and the air-conditioning unit turn on.”

What cars are affected?

Nissan says all versions of the Nissan Leaf and the Nissan e-NV200 would have been affected, but the service has temporarily been taken offline.

What has Nissan said?

Nissan told us: “The NissanConnect EV app (formerly called CarWings and used for the Nissan LEAF and e-NV200) is currently unavailable. This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.

Skip advert
Advertisement
Skip advert
Advertisement - Article continues below

“No other critical driving elements of the Nissan LEAF or e-NV200 are affected and our 200,000-plus Leaf and e-NV200 drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.

Advertisement - Article continues below

“We apologise for the disappointment caused to our Nissan LEAF and e-NV200 customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount. We're looking forward to launching updated versions of our apps very soon."

Is it dangerous?

Not particularly. Troy Hunt says he gave Nissan a month to fix the issue and today the company has deactivated the Connect EV service – but it didn’t represent an immediate risk. In a worst-case scenario, hackers would be able to access a car’s air-conditioning system and make the interior either very warm or very cold, potentially running down the battery in the process. What’s more, the hack doesn’t work when the car is in motion.

As Hunt says “It's much like being able to start the engine in a petrol car to run the air-conditioning, it's going to start consuming the fuel you have in the tank. If your car is parked on the drive overnight or at work for 10 hours and left running, you could have very little fuel left when you get back to it... You'd be stranded.”

At the same time, hackers could also have access to your journey history and eco-stats, which, while unnerving, pales in comparison to recent car hacks.

As Troy Hunt says in his blog; “It’s a different class of vulnerability to the Charlie Miller and Chris Valasek Jeep hacking shenanigans of last year, but in both good and bad ways. Good in that it doesn’t impact the driving controls of the vehicle, yet bad in that the ease of gaining access to vehicle controls in this fashion doesn’t get much easier – it’s profoundly trivial.”

Hunt also found that as soon as his friend disconnected his app from the Nissan Leaf, it was no longer hackable.

How do I protect myself? And is there a fix?

The app is currently down while Nissan fixes the issue, so you’re not currently at risk. However, if you’re still worried, it could be worth unpairing the app from your Leaf and then removing the app from your phone.

Skip advert
Advertisement
Skip advert
Advertisement

Most Popular

New Polestar 4 coupe SUV – how is the £60k EV shaping up?
Polestar 4 Prototype drive front quarter
News
22 Mar 2024

New Polestar 4 coupe SUV – how is the £60k EV shaping up?

Best new car deals 2024: this week’s top car offers
Carbuyer best new car deals hero
Deals
22 Mar 2024

Best new car deals 2024: this week’s top car offers

Average speed cameras: how do they work?
Average speed cameras: how do they work?
Tips and advice
21 Mar 2024

Average speed cameras: how do they work?

Tips & advice

View All
Car dashboard warning lights: the complete guide
Car dashboard symbols and meanings
Tips and advice
26 Mar 2024

Car dashboard warning lights: the complete guide

Electric car charging stations: a complete guide
Public EV charge point
Tips and advice
11 Jan 2023

Electric car charging stations: a complete guide

PCP vs HP – which type of car finance is right for you?
PCP vs HP
Tips and advice
17 May 2022

PCP vs HP – which type of car finance is right for you?

Average speed cameras: how do they work?
Average speed cameras: how do they work?
Tips and advice
21 Mar 2024

Average speed cameras: how do they work?

Best cars

View All
Top 10 best car interiors
Peugeot 208 hatchback
Best cars
25 Jun 2021

Top 10 best car interiors

Top 10 best electric cars 2024
The best electric cars 2023
Best cars
2 Jan 2024

Top 10 best electric cars 2024

Top 10 best cheap-to-run cars 2024
The best cheap-to-run cars 2023
Best cars
2 Jan 2024

Top 10 best cheap-to-run cars 2024

The UK's top 10 fastest hot hatchbacks 2024
Fastest hot hatchbacks hero
Best cars
2 Jan 2024

The UK's top 10 fastest hot hatchbacks 2024