Security researchers at Black Hat Asia 2025 have revealed serious vulnerabilities in the Nissan Leaf electric vehicle that allowed remote access to some of the car’s features through Nissan’s mobile app.
The flaws were discovered by a team from the Singapore University of Technology and Design (SUTD), who showed how attackers could exploit these issues without needing a password or the owner’s permission.
The attack was made possible through the NissanConnect EV app, a smartphone application that lets owners control certain car functions, like checking battery levels and turning on the air conditioner. The main problem was how the app and the car communicated using the vehicle’s VIN (Vehicle Identification Number), a unique but easy-to-guess code found on most vehicles.
By reverse-engineering the mobile app and the API it communicates with, researchers discovered multiple critical flaws. The most serious issue was that the backend server did not verify whether a legitimate user was sending a command. As long as an attacker had the VIN of a target vehicle, they could send commands to the car remotely without any authentication. Since VINs follow a predictable pattern, attackers could automate the process of finding valid ones and start sending commands.
Some actions hackers could perform include turning the heater or air conditioner on and off, checking the vehicle’s current status, viewing the driving route history, and even retrieving the car’s latest location. While the exploit did not allow attackers to unlock or start the car, the privacy implications are serious. For example, viewing driving history and location data could let a hacker track an individual or learn their daily routine.
Beyond just one vulnerability, the researchers highlighted a set of architectural problems in the system:
- No authentication required: The mobile API allowed commands to be sent without verifying the user.
- No rate limiting or brute-force protection: Attackers could try thousands of VINs automatically without being blocked.
- Poor encryption and communication security: The app did not use secure communication channels for all requests.
- Hardcoded and guessable VINs: Since VINs are visible on dashboards and follow known patterns, they are easy to guess.
- Weak vehicle-server binding: There was no strong link between a specific user account and a vehicle, making impersonation possible.
The researchers notified Nissan, and the vulnerable endpoints have since been taken offline. Nissan acknowledged the issue and is working to improve the overall security of its connected services.
This case strongly reminds us of the risks associated with adding internet connectivity to vehicles. While connected car apps offer convenience, they also introduce new attack surfaces that need careful protection. If not properly secured, these systems could be abused for stalking, data theft, or future remote control exploits. As cars become more digital, strong cybersecurity must be a top priority.
