API Flaw Exposes Nissan LEAF Cars to Remote Attacks

[37.5 seconds | 125 words]

  1. An API used by Nissan to allow LEAF owners to manage their vehicles from a mobile phone allows hackers to remotely control some of the car’s features.
  2. Experts discovered the by knowing a Nissan LEAF’s VIN, they could send requests to enable and disable the climate control, obtain information on the vehicle’s status, and even collect driving history.
  3. Fortunately, the LEAF mobile apps don’t allow users to lock or unlock the vehicle, or start it remotely.
  4. On all the Nissan LEAF vehicles seen by Hunt, the VIN is the same, except for the last five digits, which makes an easy bruteforce attack target.
  5. Until a fix becomes available, users can protect themselves against potential attacks by disabling this service.


Security Week


Troy Hunt

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s