Security researchers Scott Helme and Troy Hunt have demonstrated vulnerabilities in the Nissan Leaf remote management APIs that allow anyone with the VIN number of the car to access certain features of it from anywhere across the Internet.
The attack is described in a blog post by Hunt and shown in the embedded video below. Hunt lives in Australia and Helme in the north of England, over 10,000 miles apart, underscoring the 'remoteness' of the remote attack.
Nissan has a mobile app for Apple and Android devices to allow customers to access these features. Inspired by security training he had with Hunt, Helme investigated the programming of his Nissan Leaf and found the APIs it uses open and unauthenticated. The key is absent the car turned off during the attack.
The documented features are limited; the app allows users to:
- Check state of battery charge
- Start charging
- Check when battery charge will complete
- See estimated driving range
- Turn on or off the climate control system
There are no obviously dangerous APIs like "ReleaseBreaks" but these are only the APIs used by the documented parts of the app. There may be others.
All Nissan Leafs share a VIN prefix of "SJNFAAZE0U60" with the last 5 characters unique for each. To access the APIs you need to know the full VIN.
Hunt says he informed Nissan of the vulnerability on January 23. They have acknowledged it and say they are working on a solution, but haven't released one yet.