Nissan has recalled a smartphone app that allowed hackers to drain the popular Leaf electric car’s battery.
According to Tech Insider, the security hole was found by researcher Troy Hunt, who worked out that the application programming interface (API) used only the vehicle identification number (VIN) to remotely control some of the car’s features.
Investigations showed that the flaw could have let hackers drain the car’s battery by accessing the NissanConnect EV (formerly CarWings) app.
Other features that could be seen included times and distances the car has traveled, and its climate control system.
Nissan has withdrawn the app and assured customers that no security elements of the car have been compromised.
Sergey Lozhkin, senior researcher at Kaspersky Lab, comments: “More and more cars nowadays have an option to remotely control some of their systems, including climate control and entertainment, through applications on drivers’ smartphones.
“As new in-car technology continues to develop, so too does the ability to control it remotely. According to our predictions, applications on users’ smartphones will soon be able to control critical car systems.
“In the recent Nissan Leaf case, we witnessed the following scenario: hackers downloaded the application that can control in-car systems – presumably climate control or entertainment – and used the VIN number of the car to connect to the control panel. It would not take much for this to be used for criminal gain: by simply changing a VIN number it could be possible to control another car.
“Although the functionality in this example is relatively limited, the ease with which criminals can gain access should be thought provoking for software developers,” Lozhkin says. “This type of attack could be easily prevented by enabling safe authentication procedures between the car and smartphone application, in combination with data encryption.
“The Nissan example once again demonstrates that car manufacturers need to start taking the issue of cyber-security threats to their Internet-connected cars seriously, and demand that car component manufacturers do the same.”
