LEAF owners with NissanConnect EV Carwings apps will have to wait for a new app and update for remote functions like turning on the climate control. The app has been suspended after an easy hack was revealed by security expert Troy Hunt.
According to Nissan:
Thec NissanConnect EV app (formerly called CarWings and is used for the Nissan LEAF) is currently unavailable. This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.
No other critical driving elements of the Nissan LEAF are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle. We apologize for the disappointment caused to our Nissan LEAF customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.
We’re looking forward to launching updated versions of our apps very soon.
Security expert Troy Hunt showed on a YouTube video and on his website how he could turn on the heat in a LEAF in England from Australia.
The team was able to access to turn on heated seats, activate climate control and make VIN numbers until they found another owner’s LEAF VIN number.
Earlier today Nissan issued this statement
“Nissan is aware of a data issue relating to the NissanConnect EV app that impacts the climate control and state of charge functions. It has no effect whatsoever on the vehicle’s operation or safety.
Our global technology and product teams are currently working on a permanent and robust solution. We are committed to resolving the issue as a matter of priority, ensuring that we deliver the best possible experience for our customers through the app now and in the future.”
“The API can be accessed anonymously. It’s a GET request so there was nothing passed in the body nor was there anything like a bearer token in the request header. In fact, the only thing identifying his vehicle was the VIN,” wrote Hunt on his blog.
I looked at my Nissan LEAF through the web portal at 4:45pm PST and it was still working. The connection was slow but is still showing the battery charge.
Older model Nissan LEAFs use 2G cellular connections which will be phased out at the end of 2016. The good thing about the Carwings apps is that we don’t pay anything for it. Hyundai Blue Link costs $99 a year and GM OnStar Remote Link is only free for 5 years.
Update 2/25/2016 We have confirmed from Nissan spokesman Steve Yaeger that “the web portal is still operational and is safe to use. The mobile app server only is off line.”