The video above may not be " Mad Max: Fury Road," but it’s still edge-of-your-seat action. A hacker by the name of Troy Hunt, sitting poolside in sunny Australia, hacks into Scott Helme’s Nissan Leaf in cold, rainy northern England.
Hunt not only takes control of an app that remotely controls the heater and AC, he also accesses Big Data about the Leaf owner’s trips, including where he went. The video lets you see this happening in real time. Hunt warms up Helme’s seat heaters, and then turns them off — all with the car shut down. All he needed was the Leaf’s VIN number.
Nissan has been touting this capability, and rightly so — it's really cool, and gas cars can't do it:
It's a sweltering August day and you know you’ll be getting in the car in 15 minutes. Use your smartphone or computer to remotely turn on the air-conditioning and voila, you’ll be entering a nice cool car. The system also works to remotely turn on the heater.
Nissan has temporarily disabled the remote app, which is also used on the eNV200 van (not yet sold in the U.S.) Nissan’s Steve Yaeger tells me:
The NissanConnect EV app (formerly called CarWings, and used for the Nissan Leaf and eNV200) is currently unavailable. This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.
No other critical driving elements of the Nissan LEAF or eNV200 are affected, and our 200,000-plus Leaf and eNV200 drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.
We apologize for the disappointment caused to our Nissan Leaf and eNV200 customers who have enjoyed the benefits of our mobile apps. However, the quality and our products is paramount.
This is scary stuff, and I’ve been writing about it for a while. It was just last summer that similar hackers — who delight in their omnipotence — hacked into a moving Jeep, remotely switched its wipers on and off, blasted rap from a hip-hop station, blasted the AC — and then cut power to the transmission, sending the Cherokee to the side of the road.
The stunt threw Fiat Chrysler Automobiles (FCA) into a tizzy. The hackers got in through the Jeep’s Uconnect infotainment system via the Sprint network, and it’s when cars start connecting to the outside world that they make themselves vulnerable to manipulation. FCA had to recall 1.4 million cars to fix the problem.
Although the FCA hack cost the automaker big time, these intrusions are relatively benign — the core cause is exposing vulnerabilities. But less well-intentioned computer nerds have been stealing cars with laptops and remote devices.
Auto security’s worst nightmare fits in your hand. It’s a small board with $26 worth of electronic parts (an Arduino mini pro, resistors, a voltage regulator, Ethernet cable, LCD and SD card reader among them) that plugs into a car’s Controller Area Network (popularly known as the CAN bus) to enable all kinds of remote mischief.
Many of the thefts have been happening in Europe. The Daily Mail reported, “Figures from London’s Metropolitan Police Service (MPS) claim half of car thefts in London last year were committed without the use of force. Instead, it is thought criminals used high-tech gadgets designed for locksmiths to gain access and drive away without raising suspicion.”
The auto industry isn’t handling this well. It needs to stop being reactive to each specific hack and realize it has a bigger problem on its hands. I suggest that the industry’s over-confident IT guys hold a summit meeting, pool their knowledge, and start building systems that can’t be hacked by any coder with a laptop.
Keep in mind this problem will get much worse with self-driving cars, which won’t be able to operate unless they’re constantly communicating on networks.