Nissan’s connected car app offline after shocking vulnerability revealed

Researchers used a web browser to hack into Nissan controls that are available through the LEAF Nissan Connect app. Nissan is aware of the situation and is working on a fix. Troy Hunt, a security expert, met a LEAF owner at the NDC conference in Norway who helped him discover the code behind the app using a proxy to see all the requests the app made. “The API can be accessed anonymously. It’s a GET request so there was nothing passed in the body nor was there anything like a bearer token in the request header. In fact, the only thing identifying his vehicle was the VIN,” wrote Hunt on his blog. The team was able to access the battery status, turn on heated seats, activate climate control and make VIN numbers until they found another owner’s LEAF VIN number.