Earlier on today, we reported on a major security flaw to the recently-launched NissanConnect EV telematics system for all Nissan-brand electric cars.
The flaw, discovered by a team of security researchers and reported to Nissan one month ago, made it possible for anyone to interact with a NissanConnect EV-registered car, either by knowing, guessing or brute-forcing the car’s Vehicle Identification Number (VIN).
while Nissan hasn’t officially announced a patch for the flaw, it appears the the Japanese automaker has confirmed it has at least stopped ne’er do wells from maliciously accessing the service by blocking all Internet traffic to its service which come from outside Nissan’s official website.
Since we reported on the news this morning, we’ve been keeping a close eye on the NissanConnect EV service and the discovered API flaw to see how Nissan planned to patch the flaw. In the past few hours, we’ve heard from multiple LEAF owners reporting that the NissanConnect EV app no-longer connects to Nissan’s servers, while remote API requests made direct to the servers detailed by the security researchers earlier today are no-longer being processed.
Having confirmed this behavior ourselves, we’re confident the dropped connections mean that Nissan has erected a crude — if effective — computer firewall to ensure that customer’s cars are kept safe, and no personal data is leaked.
UPDATE: Nissan has just confirmed it actions to us via email in the following statement:
The NissanConnect EV app (formerly called CarWings and is used for the Nissan LEAF) is currently unavailable. This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.
No other critical driving elements of the Nissan LEAF are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle. We apologize for the disappointment caused to our Nissan LEAF customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.
While access is now being prohibited from outside Nissan’s network, it’s still possible to remotely check on your car’s state of charge, precondition the cabin, and start charging remotely from Nissan’s various official NissanConnect EV web portals, where there are presumably extra checks in place to ensure that only those with a username and password can access the service.
While this may be a frustrating development for those hoping to use the NissanConnect EV smartphone app to control or check on their Nissan LEAF electric car or Nissan e-NV200 electric minivan at this moment in time, it means that Nissan is taking the security threat seriously and is already working hard to find a more permanent solution.
For now, Nissan has done the equivalent of turning off the water supply upon finding a flooded pipe. While nobody can access the water system, it does at least mean there’s no-longer a flood. And when Nissan has figured out where the broken ‘pipe’ is, we’re guessing it will turn the water back on, granting access again to the Connect EV service for its official smartphone apps.
As we said earlier, we’ll continue to report on this evolving story as and when we have more information.
UPDATE 2: We understand from our contacts in Canada that the Canadian server is still alive and accepting connections. We’ll update you should this change.
You can also support us directly as a monthly supporting member by visiting Patreon.com.