Hack warning shuts down Nissan’s online electric car app

Nissan’s ConnectEV app switched off after security vulnerabilities discovered

Nissan has shut down the servers powering its NissanConnectEV app  because of a security failure which could allow malicious manipulation of a car’s functions. The issue affects electric Leaf and eNV200 vehicles.
Nissan has shut down the servers powering its NissanConnectEV app because of a security failure which could allow malicious manipulation of a car’s functions. The issue affects electric Leaf and eNV200 vehicles.

Nissan has shut down the servers powering its NissanConnectEV app (previously known as Carwings) because of a security failure which could allow malicious manipulation of a car's functions. The issue affects the firms' Leaf electric car and eNV200 electric van.

The gap in the software would allow a user, from anywhere in the world, to use the car’s Vehicle Identification Number (VIN) to gain access to the car’s internal controls, primarily those which manage the heating, ventilation and air conditioning systems, as well as the heated seat controls.

While any unauthorised access was not possible while the vehicle was in motion, and there was therefore no specific safety issue at stake, the decision was taken to close access to the app until such time as a security patch could be put in place, as there were fears that ‘hackers’ could drain a car’s battery while it was parked by running various on-board systems.

The flaw was discovered by security expert Troy Hunt, who claims to have first discovered the flaw and warned Nissan about it before going public. "Disabling the service was the right thing to do given it appears it's not something they can properly secure in an expeditious fashion," he told the BBC. "Hopefully this will give them time to build a more robust solution that ensures vehicle features and driving history are only accessible via the authorised owner of the car."

READ SOME MORE

Leaf and eNV200 affected

An official statement from Nissan said “No other critical driving elements of the Nissan Leaf or eNV200 are affected, and our 200,000-plus Leaf and eNV200 drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone - all of which are still available to be used manually, as with any standard vehicle. We apologise for the disappointment caused to our Nissan Leaf and eNV200 customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.”

While the stakes were not especially high in this particular case (nothing worse than a flat battery could be caused) it does point to concerns that increasing connectivity in our cars can lead to cyber-vulnerability. Last year, hackers in the US demonstrated that they could take complete control of a Jeep Cherokee via the car’s internet-accessing on-board uConnect infotainment system. In that case, major systems including steering, brakes and throttle could be affected and changed from half-a-world away, leading Fiat-Chrysler to change its security protocols.

Nonetheless, Nissan owners are concerned by this issue. Alan O’Reilly is a Leaf owner, and IT expert and the man who campaigned last year against the ESB’s changes to electric car charging prices. He told The Irish Times that “I’m an I.T. engineer so I am disappointed that the API security was so weak but in general Carwings, now called Nissan connect EV, has been a disaster, the reliability has always been an issue. This latest incident shows that while Nissan are at the cutting edge with EV cars their software and associated services are not up to scratch.

“Once Troy when public they cut access quickly enough. All that is needed is VIN number which is viewable on car or garage database. It’s more how a large company with leading tech could allow it than the actual impact.”

Nissan is, in a sense, following in the footsteps of electric car pioneer Tesla, which had to alter its security protocols in 2013 when it was found that the remote internet access to its vehicles could be compromised by a 'brute force' attack - where a computer runs through every possible permutation of password and PIN - because there was no upper limit to the number of password entries that could be tried.

With connectivity and remote access being a major part of the appeal of electric cars, and in the near future autonomous cars too, the increasing number of vulnerability issues could become a major hinderance to the breed - especially at a time when record low oil prices are driving down the cost of petrol and diesel.

Ian Robertson is editor and publisher of Diesel Car and Eco Car magazine and he told The Irish Times that "I don't think there's a safety issue here - the mischief maker can only drain the battery - I don't really see it as an enormous slight on electric cars. They just need to up the verification requirements and no-one would be able to do it again, so I reckon it'll be a quick fix. If the car is switched on it doesn't work anyway, so no safety issue.

"I just think car makers need to think a bit more seriously about security - the kind that Apple, Samsung and Co do. But I don't think this will be the last security issue we will hear about though."

The next issue could be far more damaging too - this week, car reliability experts JD Power said that problems with infotaintment and connectivity systems were actually driving up unreliability issues with new cars. Such problems have caused the industrial average of problems per 100 cars to rise from 147 last year to 152 this year. "In the context of conversations around autonomous vehicles, the industry clearly has more work to do to secure the trust of consumers," Renee Stephens, vice president of U.S. automotive at J.D. Power, told Bloomberg. "If consumers can't rely on their vehicle to connect to their smartphone, or have faith that their navigation system will route them to their destination, they're certainly not yet ready to trust that autonomous technology will keep their vehicle out of the ditch."

Nissan embarrassment

Nissan Ireland told The Irish Times that "it's true to say that one of the compelling arguments for choosing a Nissan Leaf is the significant running costs savings it provides to the owner. Those savings are possible due to many factors - servicing costs are typically one third of the cost of a regular combustion engine, road tax is the lowest bracket applicable and 'fuelling' the car is significantly lower. Even with the current value to be had for petrol - 'fuelling' the Nissan Leaf still equates to approximately one eighth of the cost to fuel a 1.6 petrol combustion engine.

“It’s also worth noting that currently it’s also free to fuel the Leaf at all public infrastructure sites. It’s also important to take into consideration that the lower running costs argument is not the only reason consumers are increasingly including electric vehicles on their consideration lists. The environmental benefit, innovative features provided and the comfort associated with driving the Nissan Leaf are also very significant influencers for consumers.

“The 30kwh Nissan leaf is currently selling extremely well. In fact we currently have a short waiting list for this model and we are continuing to see increasing interest and enquires for the Nissan Leaf across all of our specialist Nissan Leaf dealers nationwide.”

In the meantime, Nissan’s embarrassment is palpable. As security issues go, it’s more minor annoyance than major catastrophe, but customers may become less keen to sign up to new-technology vehicles if they don’t trust the reliability and security of that tech.

Neil Briscoe

Neil Briscoe

Neil Briscoe, a contributor to The Irish Times, specialises in motoring