The BBC Report that Nissan has suspended the functions of an app that could have been used to hack its Leaf electric cars.
The action follows the revelation that a flaw with the software meant that an attacker could run down the battery of a target’s car and see data about its recent journeys.
The firm had been informed of the problem a month ago but only acted after details of the issue were flagged online.
Nissan denies there was a safety issue. Which would seem to be a true statement.
Troy Hun, a security researcher who had alerted the Japanese automaker to the problem a month ago believes the company should have taken the step earlier. He blogged about the risk after seeing that other people had discovered and discussed it in online forums. Even so, he said he welcomed the latest development.
“Disabling the service was the right thing to do given it appears it’s not something they can properly secure in an expeditious fashion,”
“Hopefully this will give them time to build a more robust solution that ensures vehicle features and driving history are only accessible via the authorised owner of the car.”
Mr Hunt discovered that anyone can control the heating and air conditioning systems of a stranger’s Leaf by sending it commands via a web browser because the car’s companion app was not configured to verify the owner’s identity.
Instead, it only required a vehicle identification number (Vin).
Vin numbers are stencilled into the windscreens of cars and Mr Hunt noted that it would be relatively easy to script a process that would hunt the net for vulnerable vehicles.
Not good Nissan.