Want another reason to be skeptical about the idea of connected cars? Here's one: when Nissan put together the companion app for it's Leaf electric vehicle—the app will turn the climate control on or off—it decided not to bother requiring any kind of authentication. When a Leaf owner connects to their car via a smartphone, the only information that Nissan's APIs use to target the car is its VIN—the requests are all anonymous. Those are the findings of Troy Hunt and Scott Helme, who published their findings on Wednesday. Thursday, Nissan took the service offline.
Hunt started poking into NissanConnect after running a workshop in Norway in January. Norway is overflowing with EVs, and one of them belonged to an attendee. "What the workshop attendee ultimately discovered was that not only could he connect to his LEAF over the internet and control features independently of how Nissan had designed the app, he could control other people’s LEAFs." Upon discovering that his friend Helme also owned a Leaf, the pair began to investigate just how insecure NissanConnect was.
In a lengthy post describing the details of the security flaw, Hunt also lays out a timeline as well as the ethical justification for doing so. He first contacted Nissan to alert it to the problem on January 23rd, describing the company as "receptive" and their behavior as "exemplary" during the process. But it didn't move with sufficient speed for Hunt, as he received an e-mail from a Canadian Leaf owner last week about the issue last week. He let Nissan know he was planning on going public, doing so on Wednesday.