Yesterday, we reported on a significant security hole with Nissan Leafs (and electric eNV200 vans) that would allow some HVAC systems and a good amount of owner data to be accessed via the web. The hole was, pretty much, that there was no real security at all. Happily, it looks like Nissan is taking the issue seriously and taking steps to correct it.
The NissanConnect EV app, which lets Leaf owners access their car’s information and some controls remotely, was the main conduit for the potential unwanted access, and has been made unavailable. I suspect that even for users that have the app downloaded already, the servers the app talks to (which in turn communicates with the cars) have been taken down, at least temporarily.
Here’s the statement we got from Nissan:
The NissanConnect EV app (formerly called CarWings, which is used for the Nissan LEAF and eNV200) is currently unavailable.
This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.
No other critical driving elements of the Nissan LEAF or eNV200 are affected, and our 200,000-plus LEAF and eNV200 drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.
We apologize for the disappointment caused to our Nissan LEAF and eNV200 customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.
We’re looking forward to launching updated versions of our apps very soon.
Sure, in an ideal world, Nissan would have noticed what a huge security hole this was, but, whatever, we’re all human, or at least massive car companies full of humans. Nissan’s doing the right thing now, and will hopefully take care of the problem, and learn from this mistake.
I’m sure they’re not the only automaker to have overly lax online security in their connected cars. Hopefully other manufacturers will learn from this example as well.