Nissan has shut down a popular mobile app for its Leaf electric vehicle after security experts demonstrated they could use the app's insecure APIs to remotely control any vehicles' functions.
"We apologize for the disappointment caused to our Nissan Leaf customers who have enjoyed the benefits of our mobile apps," Nissan wrote in an emailed reply to Computerworld. "However, the quality and seamless operation of our products is paramount."
The unsecured APIs allow anyone who knows the VIN of a car to access non-critical features such as climate control and battery charge management from anywhere across the Internet. Additionally, someone exploiting the unauthenticated APIs can see the car's estimated driving range.
Along with controlling some vehicle functions, the other main concern is that the telematics system in the car makes available historic driving data, one security expert said in a blog post.
Nissan said it has shuttered access to the NissanConnect EV app (formerly called CarWings), following the security experts' report and its own internal investigation.
Nissan said it found the dedicated server for the NissanConnect EV app "had an issue" that enabled the temperature control and other telematics functions to be accessible via a non-secure route.
"No other critical driving elements of the Nissan Leaf are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence," a Nissan spokesman wrote. "The only functions that are affected are those controlled via the mobile phone -- all of which are still available to be used manually, as with any standard vehicle."
The carmaker added that it plans to re-launch NissanConnect EV once it's been updated.
Craig Young, a cybersecurity researcher for security software developer Tripwire, said that while cloud connected car tech is in its infancy, "it is likely that we will continue to hear about privacy and security related issues."
"Generally speaking, any service, but especially services pertaining to connected cars, should not be authenticated based on non-private data. For example, with a service like this, it would be better to have an authentication token provided to clients upon login and then used as an access control to prove that the client is authorized to perform actions on that VIN," he wrote in an email to Computerworld.
Nissan should consider implementing two-factor authentication for its mobile apps, which might require a more involved first time setup by drivers, but would be worth it, Young said.
"Fortunately, in this case I would not expect there to be any safety concerns, but the possibility remains that this flaw could be used in conjunction with other vulnerabilities to further compromise a connected car," Young added.
Sign up for CIO Asia eNewsletters.