Security researcher Troy Hunt discovered that the Nissan LEAF electric car suffers from a significant security vulnerability that enables a hacker to access the car's connected system just by knowing the car's unique Vehicle Identification Number (VIN). This number is printed on a sticker in the windscreen but could also be guessed via a brute-force method because the number contains just five unique digits.
The attack does not affect driving controls in any way, but could allow attackers to turn on hear or air condition systems, which could drain the battery of parked cars.
"There's nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries and turn the air conditioning on in every one," according to Hunt. "They would then get a response that would confirm which vehicles exist."
As noted by one of Hunt's contacts in the UK, hacking to control an air conditioner, heater, or access travel logs doesn't seem too threatening but - someone could drain your battery while you were parked at work without a charge point, for example, preventing you from getting home. The privacy and security risk of someone being able to access all your journeys is also concerning.
Hunt informed Nissan of the vulnerability over a month ago, the car maker promises it's working on a solution but doesn't deem it to be a safety risk. Check out Hunt's blog for details on how you can protect your car if you drive a LEAF.