Researchers at the “Hack Yourself First” workshop were able to use a web browser to access and control certain features of a Nissan LEAF from half-way around the world.
Security researchers Troy Hunt and Scott Helme remotely manipulated a vehicle located in the U.K. from Australia using unauthenticated API (application program interface) requests sent through the NissanConnect EV application.
The researchers were able to access the vehicle's climate control features and obtain the user's ID and driving history including, distance traveled, vehicle power consumption, and "GpsDateTimes."
A potential attacker would only need the car's vehicle identification number (VIN ) in order to exploit the vulnerability in the vehicle's mobile application, the researchers said in a Wednesday blog post.
“Anyone could potentially enumerate VINs and control the physical function of any vehicles that responded,” Hunt said.
All of the requests for information were issued anonymously and were made without an authorizationtoken of any kind, Hunt said in the post.
“It's not even like they just missed auth or didn't check, it's actually not implemented,” Helme said in the post. “It was built, intentionally, without security,” he added.
The LEAF doesn't have remote locks or start, but an attacker could still exploit the vulnerability to put a significant drain on the battery over a period, which could potentially leave someone stranded, Helme said in the post.
The researchers reported the issue to Nissan in January 2016, but the vulnerability has not been patched.
SCMagazine.com attempted to reach Nissan for a comment, but it has not responded.
UPDATE: As of Feb. 25, Nissan has indefinitely taken the NissanConnect EV offline.