Researchers from Budapest-based cybersecurity firm PCAutomotive have revealed a series of vulnerabilities in the 2020 Nissan Leaf, allowing remote access to various vehicle functions, including steering control. The findings were presented at the Black Hat Asia 2025 conference, highlighting significant concerns over the security of connected vehicles.
The attack begins by exploiting weaknesses in the Leaf’s infotainment system, particularly its Bluetooth connectivity. Once access is gained, attackers can escalate privileges and establish a command-and-control channel over cellular communications, enabling remote control over the internet.
The compromised access allows control over several vehicle functions:
Location Tracking: Real-time GPS tracking of the vehicle.
Audio Surveillance: Recording in-cabin conversations via the car’s microphone.
Audio Playback: Playing recorded audio through the vehicle’s speakers.
Physical Controls: Operating the horn, adjusting mirrors, controlling windows, flashing lights, activating windshield wipers, locking/unlocking doors, and manipulating the steering wheel—even while the car is in motion.
The vulnerabilities have been assigned eight Common Vulnerabilities and Exposures (CVE) identifiers: CVE-2025-32056 through CVE-2025-32063. The attack chain involves exploiting a stack buffer overflow in the Bluetooth Hands-Free Profile, gaining root access to the vehicle’s Linux-based operating system, establishing persistent access, and communicating with the vehicle’s Controller Area Network (CAN) to send commands to various electronic control units.
Nissan’s Response
Nissan acknowledged the vulnerabilities, stating: “PCAutomotive contacted Nissan regarding its research. While we decline to disclose specific countermeasures or details for security reasons, for the safety and peace of mind of our customers, we will continue to develop and roll out technologies to combat increasingly sophisticated cyberattacks.”
This incident underscores the growing cybersecurity challenges in modern vehicles, particularly electric vehicles with extensive digital systems. The ability to remotely control critical vehicle functions raises significant safety concerns for drivers and other road users.
Owners of 2020 Nissan Leaf vehicles are advised to:
Update Software: Ensure the vehicle’s software is up to date.
Limit Bluetooth Connectivity: Only pair with trusted devices when necessary.
Monitor for Unusual Behavior: Be alert to unexpected activity in the vehicle’s systems.
Contact Dealers: Inquire about security updates addressing these vulnerabilities
As vehicles become more connected, robust cybersecurity measures are essential to protect against potential threats.
