There are more than 200,000 Nissan Leaf electric cars on the road. But the most popular plug-in in the world may also come with one problematic feature: a hackable heat and air conditioning system.
Security expert Troy Hunt revealed the find on his blog on Wednesday after he said he spent a month going back and forth with the car maker about creating a fix for the security hole.
Nissan did not immediately respond to a request for comment from Fortune, but Hunt said he contacted the company in late January to alert Nissan about the flaw.
This isn’t the first time or the most serious way connected cars have gone buggy. Last year, hackers tapped into the controls on a Jeep Cherokee, running the windshield wipers and blasting music while also, more disturbingly, cutting the vehicle’s transmission.
On the Leaf, air conditioning and heat can be controlled via an app meant to let owners remotely pre-heat or cool their cars. But as Hunt shows, anyone with a working Internet connection and a little coding know-how can enter a few commands and control the climate in the car. Hackers also need the car’s vehicle identification number (VIN), the unique ID label that’s displayed on all cars.
Get Data Sheet, Fortune’stechnology newsletter.
“I would make the assumption that people don’t want other people being able to turn features on and off,” Hunt said in an interview with Fortune.
Hunt said he tried the trick out on a friend’s car in the U.K. using commands from his own computer in Australia.
Besides running heat and cooling, Hunt could also see a log of trip distances, learning more about the car’s daily driving patterns.
A car app relies on a fundamental security principle that Hunt says Nissan has only built up halfway: A consumer logs in to a car system on a computer or smartphone, but the app never subsequently verifies from where commands to the car are coming.
In other words, Hunt explained, “It never makes sure you are you.”
Hunt says the easiest thing for Nissan to do would be to shut the feature down until the company can develop a fix, such as some kind of an authorization token that would verify command origins. For now, Leaf owner and U.K. security consultant Scott Helme said it may be possible for consumers to temporarily opt-out of the remote system by deactivating the app from the owner portal on a computer browser.
Healthcare And Auto Companies Are In Danger Of Hacks:
Nissan continued its push toward more connected cars this week at Mobile World Congress in Barcelona. The company rolled out its 2016 edition of the Leaf, which boasts even more connectivity features. Users will be able to manage car batteries remotely, including setting timers for charging up vehicles.
“Nissan is proud to be at the forefront of developing efficient and reliable in-vehicle connected technologies that are available and accessible to all,” said Gareth Dunsmore, director of electric vehicles for Nissan Europe, during the event.
Meanwhile, Hunt underscored he’s been in conversation with people from around the world, including in Canada, the U.K., South Africa and Norway, all worried about the security hole.
Update (Feb. 24): In a statement to Fortune, Nissan said the company is aware of the NissanConnect EV App issue and is working on a fix.
