Ever since two security researchers went public in late February with the news that it was possible to use the NissanConnect EV telematics system to remotely access someone else’s Nissan LEAF or Nissan e-NV200 electric minivan simply by knowing the VIN of the victim’s car, Nissan has blocked all access to its NissanConnect EV servers made from anywhere other than its official Nissan Owners web portal.
This weekend, that block was lifted shortly following the release of an updated smartphone app for both Android and Apple users, once again making it possible for owners to interact with their Nissan LEAF or Nissan e-NV200 electric vehicles remotely.
Launched at the end of last year, NissanConnect EV was intended to be a replacement for Nissan’s notoriously-unreliable CARWINGS telematics system. Offering electric car owners a way to remotely check on their car’s state of charge, start and stop climate control and begin charging, CARWINGS may have been unreliable but at least had a decent amount of security in place to prevent unauthorised remote access to customers’ cars.
When it took over from CARWINGS, NissanConnect EV added remote route-planning and greater access to energy records in addition to the original functionality offered by CARWINGS. It also managed — despite asking owners for their username and password — to completely bypassed any security protocols. Consequently, while it wasn’t possible to remotely-lock a car (that feature has never been offered on Nissan’s electric cars to date) it was possible for anyone with the right knowhow and time to remotely access each and every Nissan LEAF or Nissan e-NV200 they knew the VIN of. Given that VINs follow a specific pattern (and can be easily guessed once that pattern has been found), Nissan’s new telematics system was essentially ripe for picking by ne’erdowells and hackers.
The flaw itself had been known about for some time among software-savvy Nissan LEAF owners and was reported to Nissan directly by software security experts Troy Hunt and Scott Helme at the start of January.
Despite receiving this tip-off, Nissan chose to keep the system active for another month in its unpatched state. It wasn’t until the pair went public at the end of February that Nissan finally shut the software backdoor by placing its servers behind a Nissan-only firewall rule.
The new app quietly rolled out over the weekend across key markets for Nissan’s all-electric cars. While there have been plenty of changes underneath to ensure better, improved security, the app functionality and operation hasn’t changed, meaning many Nissan LEAF and e-NV200 owners weren’t even aware the update had happened.
When questioned about the update, a Nissan spokesperson issued us with the following statement.
The LEAF/e-NV200’s smart phone app service (NissanConnect EV) is now available and the updated version can be downloaded on both Apple and Android smartphones. Following intensive and thorough testing, the security issue identified has now been resolved, and the app has been validated by both internal and external experts. We apologize for any inconvenience caused and thank our customers for their patience while we resolved this issue.
As for the third-party apps which had been written to take advantage of the NissanConnect EV telematics system? Since Nissan has revamped its security protocols, it may take a while for developers to figure out the new protocol and indeed, to write compliant applications capable of talking to Nissan’s servers. For now, that means if you’re using a third-party web service, smartphone app or smartwatch app that isn’t officially from Nissan, you’ll still have trouble connecting to the service.
The good news? If you’ve got fed up returning to a hot car as the weather warms up for spring or you want to see if your car will make that trip without charging up, at least you can now use Nissan’s official app again rather than the Nissan web portal.
Let’s just hope there are no more security flaws…
You can also support us directly as a monthly supporting member by visiting Patreon.com.