Nissan yanks remote-access Leaf app — 4+ weeks after researchers report critical flaw

The remote access Leaf app has been recalled by Nissan, more than a month after researchers went to the company to report that they could remotely drain the battery and download the log of all the car's movements.

Nissan isn't saying what it did since Jan 23: either it did nothing (except, perhaps, plan PR strategies), or it attempted and failed to patch the security of its app. The vulnerability was publicly disclosed on Feb 23. On Feb 25, the company shut down the app and said, it was "looking forward to launching updated versions of [its] apps very soon."

Information security has been a particularly pressing concern in the auto industry, where the concept of the connected car has, at times, moved faster than the industry's ability to keep hackers at bay. The NissanConnect hack, which allows an individual to download and manipulate settings if they have a Leaf's VIN number, is not the most serious hack — there doesn't appear to be any situation where it would put a moving vehicle in harm's way — but it could effectively disable a car by draining the battery. In the worst case, hackers could also use drive logs to get a sense of when the car's owner is at home, at work, or elsewhere.

Nissan pulls the Leaf's phone app after security vulnerabilities come to light
[Chris Ziegler/The Verge]