The world's best-selling electric car, the Nissan Leaf, can be remotely hacked thanks to unsecure application programming interfaces (APIs) supplied by the car maker, two security researchers have found.
Security researchers Troy Hunt and Scott Helme have demonstrated that the unsecured APIs combined with the VIN number of a car - which is easily visible through a car's windshield - could allow attackers to remotely control features like the air conditioning and heated seating.
The vulnerability exists in Nissan's Connect app for iOS and Android, which allows users to control their car.
Attackers could also access the username of the car's owner, which - despite not being "personally identifiable information such as the individual's address" Hunt wrote - wouldn't take "too much effort to fill that gap".
The researchers also said the car's telematics system leaked historic driving data - the time and distance of every trip made - which they said could be used to predict when the driver would be away from home.
"This kind of data should be collected and secured with the utmost respect for my privacy," Helme said.
Hunt demonstrated the flaw by accessing Helme's Nissan Leaf, located in England, from Australia.
Hunt said while attackers could not exploit the vulnerabilities to create a life-threatening situation, they could do things like run down a vehicle's battery.
"If your car is parked on the drive overnight or at work for 10 hours and left running, you could have very little fuel left when you get back to it ...you'd be stranded," Helme wrote.
Nissan Leaf owners who use the Connect app are at risk, the researchers warned.
While it is good that the hack "doesn't impact the driving controls of the vehicle ... the [process] of gaining access to vehicle controls in this fashion doesn't get much easier - it's profoundly trivial," Hunt wrote.
"As car manufacturers rush towards joining on the internet of things craze, security cannot be an afterthought."
Hunt said he notified Nissan first about the issue a month ago as part of responsible disclosure, with several subsequent attempts to discuss the problem, but did not hear back.
Last year researchers revealed the Jeep Cherokee could be remotely controlled by hackers who were able to turn off a car's engine while it was driving.
Fiat Chrysler recalled 1.4 million Cherokees in the US as a result, and later recalled almost 8000 sport utility vehicles to update their radio software in order to prevent hacking.