Nissan leaf
A Nissan Leaf, a five-door electric compact, in the UK was controlled by hackers sitting in Australia

Nissan has disabled the NissanConnect EV smartphone app for Nissan Leaf cars after hackers took control of the electric car using the app. The Japanese automaker plans to relaunch the app after fixing security loopholes.

"We apologize for the disappointment caused to our Nissan Leaf customers who have enjoyed the benefits of our mobile apps," Nissan wrote in an email to Computerworld.

The NissanConnect EV app is currently unavailable. This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route... The only functions that are affected are those controlled via the mobile phone - all of which are still available to be used manually, as with any standard vehicle. We apologize for the disappointment caused to our Nissan LEAF customers who have enjoyed the benefits of our mobile apps...
- Nissan's response to Computerworld

The issue came to light when two security analysts, Tony Hunt, and Scott Helm, demonstrated in a YouTube video how they could access Nissan's Leaf car in England, while sitting in Australia, using the insecure APIs in the Leaf's iPhone app.

The researchers said they first reported the security flaw to the carmaker in January but received a cold response. They then posted the YouTube video showing how the car could be hacked using the app.

Nissan Leaf hack
The NissanConnect smartphone app Troy Hunt

"Fortunately, the Nissan Leaf doesn't have features like remote unlock or remote start, as some vehicles from other manufacturers do, because that would be a disaster with what's been uncovered. Still, a malicious actor could cause a great deal of problems for owners of the Nissan Leaf," Helm, who assisted Hunt in the hack, said.

Though the experimental hack would not cause damage to the vehicle, it gives remote access to a hacker, who could, for example, switch on or off the car's pre-heating or pre-cooling system from a web browser and drain the car's battery. A hacker could also get the car's driving history.