Elizabeth Weise

USA TODAY

SAN FRANCISCO — Nissan on Wednesday disabled an app that allowed owners of its electric Leaf car to control their cars' heating and cooling from their phones, after an Australian researcher showed he could use it to control others' cars as well.

The NissanConnect EV app, formerly called CarWings, enabled a remote hacker to access the Leaf's temperature controls and review its driving record, merely by knowing the car's VIN (vehicle identification number).

Computer security researcher Troy Hunt published a blog post Wednesday describing how he discovered the flaw and initially reported it to Nissan on Jan. 23. He contacted the company multiple times and only posted his blog after the issue began to be discussed on security forums online, he wrote.

Nissan did not announce it was disabling the app after he had done so.

Nissan spokesman Steve Yaeger said in an email to USA TODAY that the issues relating to the app had "no effect whatsoever on the vehicle's operation or safety."

In a statement, the company said, "our 200,000 Leaf drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle."

Is your car vulnerable to hackers?

The company said it was looking forward to launching an updated version of its app "very soon."

In his blog, Hunt emphasized that while this particular security vulnerability was trivial because it didn't impact the driving controls of the vehicle, it is a cautionary tale for auto makers.

"As car manufacturers rush towards joining in on the 'Internet of things' craze, security cannot be an afterthought nor something we’re told they take seriously after realizing that they didn’t take it seriously enough in the first place," he wrote.

“We are lucky in this case that the attacks were only focused on functionality in the air-conditioning and heating system of the car and were done by a ‘white hat’ and not a criminally minded black hat hacker," said Reiner Kappenberger, a product manager with Curpertino, Calif.-based HPE Security – Data Security