A significant security flaw has been identified in the second-generation Nissan Leaf electric vehicles (EVs), specifically the 2020 models, which could allow attackers to remotely control various vehicle functions. This vulnerability, discovered by researchers at PCAutomotive, was demonstrated at the Black Hat Asia 2025 conference, highlighting the potential for malicious actors to manipulate critical systems such as doors, mirrors, steering, and safety mechanisms from any location with cellular connectivity.
The Exploit Chain: From Bluetooth to CAN Bus
The attack initiates by exploiting a stack buffer overflow vulnerability (CVE-2025-32059) within the Leaf’s Bluetooth Hands-Free Profile (HFP). Attackers can trigger this flaw by sending malicious audio stream data to the vehicle’s infotainment system, requiring only temporary proximity to the target, such as in parking lots or during traffic stops.
Once initial access is achieved, the attack progresses through several stages:
1. Persistence Mechanism: The compromised system establishes a connection to attacker-controlled servers via the Leaf’s embedded cellular modem, embedding itself to survive reboots.
2. Firewall Manipulation: Attackers disable critical iptables rules, enabling unrestricted external communication.
3. CAN Bus Takeover: By exploiting a stack overflow in the Renesas RH850 microcontroller, researchers bypassed Nissan’s gateway filters, gaining the ability to transmit raw Controller Area Network (CAN) messages.
Demonstrated Capabilities
During live demonstrations, attackers were able to remotely:
– Unlock doors and roll down windows
– Activate horns, headlights, and windshield wipers
– Fold and unfold side mirrors
– Interfere with steering wheel positioning
Notably, steering manipulation required the vehicle to be in motion to trigger effects.
Technical Breakdown of the Attack
The attack leverages several technical shortcomings:
1. Bluetooth Protocol Flaws: The proprietary Bosch “Bluedragon” stack lacked modern memory protections, with Address Space Layout Randomization (ASLR) being ineffective due to fixed library addresses.
2. Insufficient CAN Filtering: Nissan’s gateway allowed unexpected message types to reach body control modules, facilitating unauthorized control.
3. Legacy Systems: The infotainment unit operated on Linux 3.14, released in 2013, without kernel module signature enforcement, making it susceptible to exploitation.
Response and Mitigation Efforts
PCAutomotive reported these vulnerabilities to Nissan in August 2023. However, coordination challenges have delayed the deployment of patches. A Nissan spokesperson stated:
“We’re implementing over-the-air update capabilities and hardware revisions for future models. Current Leaf owners will receive dealership firmware updates by Q3 2025.”
This vulnerability underscores critical risks in automotive supply chains, particularly concerning:
– Shared components, such as Bosch IVI units used across multiple manufacturers
– Legacy authentication methods within in-vehicle networks
– Cellular and Wi-Fi connectivity without robust firmware signing
Recommendations for Nissan Leaf Owners
To mitigate potential risks, Nissan Leaf owners are advised to:
– Disable Bluetooth when parked in public areas
– Contact dealerships regarding urgent Electronic Control Unit (ECU) updates, referencing NHTSA Reference #2025-LEAF-004
– Monitor for unusual system behavior, such as unexpected mirror movements or warning signals
As vehicles become increasingly connected, this exploit serves as a stark reminder of the physical dangers associated with digital vulnerabilities. Regulatory bodies are now advocating for mandatory penetration testing standards similar to those in aviation safety protocols.
