Security Researcher said, It is possible to hack “Nissan LEAF” cars using Mobile Phone!

Nissan LEAF is an electric car, which is the best-selling car all around the world. This car has a lot of features. Nissan has developed applications for both Android and iOS, to control some features of this car. In simple words we can say that, owner of a Nissan LEAF can control it from his mobile phone. Troy Hunt is a famous Australian security expert and he has found a vulnerability, which is targeting the API of Nissan’s LEAF car application. According to Troy Hunt, hackers can exploit this vulnerability to hack the car remotely. Hackers can control many features of the car by doing this.

When Troy reported this vulnerability, other security researchers also confirmed it. In December 2015, this vulnerability had been discussed publicly on a forum of French Security Experts. Nissan LEAF is an electric car and Nissan has also provided an application for its owners to control its features. Troy Hunt was doing work at his workshop which is located in Norway. Then one of his student came in Nissan LEAF and he was controlling his car from mobile phone.

Student ask Troy that he is controlling the car from an iOS application, which is using only VIN (Vehicle Identification Number) to authenticate the users. This application is also available on Android Play Store. After that Troy did a number of tests on the car and found this vulnerability. Another security researcher Scott Helme was with him and they show how to hack this car remotely.

Hackers can turn on the AC of car, can access driving data including travel distance and power consumption by exploiting this vulnerability. But it is not possible to unlock or lock the car by exploiting this vulnerability. Engine is also safe from this security flaw. Nissan also revealed that this is possible.

How it is possible?

It is possible because all the Nissan LEAF cars have same VIN number, only last five digits are different. Therefore hackers can try all the possible combinations of the numbers to exploit this vulnerability. On January 23, Troy reported this vulnerability to Nissan ant still it is unpatched. Users are advised to disable this service by logging into account from a web browser, until the release of updates for application.

It is not the first time when a security researcher has reported vulnerability in an electric car, a number of vulnerabilities had been found by other security researchers as well in the past. Therefore Government of United States is asking Automobile Companies to take the security seriously. Government asked the companies to aware their engineers about the security, because the security of customer is a must in business. Some companies are offering large amount as a price for those, who told them about the vulnerabilities in their automobile products.

Source: Securityweek