The security flaw was discovered by Troy Hunt, an independent Australia-based IT security researcher:
Comments Sergey Lozhkin, senior researcher at Kaspersky Lab’s GReAT, “More and more cars nowadays have an option to remotely control some of their systems, including climate control and entertainment, through applications on drivers’ smartphones. As new in-car technology continues to develop, so too does the ability to control it remotely. According to our predictions, applications on users’ smartphones will soon be able to control critical car systems. In the recent Nissan Leaf case, we witnessed the following scenario: hackers downloaded the application that can control in-car systems - presumably climate control or entertainment - and used the VIN number of the car to connect to the control panel. It would not take much for this to be used for criminal gain: by simply changing a VIN number it could be possible to control another car. Although the functionality in this example is relatively limited, the ease with which criminals can gain access should be thought-provoking for software developers. This type of attack could be easily prevented by enabling safe authentication procedures between the car and smartphone application, in combination with data encryption. The Nissan example once again demonstrates that car manufacturers need to start taking the issue of cyber-security threats to their internet-connected cars seriously, and demand that car component manufacturers do the same.”
Nissan has said that it will soon be launching an updated version of its app.
