In an alarming discovery that raises serious questions about electric vehicle cybersecurity, security researchers have demonstrated how the 2020 Nissan Leaf can be remotely compromised, allowing attackers to control multiple vehicle functions, including its steering system.

"The capability stops short of controlling the throttle and brake pedals, but turning the wheel is enough to ring major alarm bells," notes Road & Track in their recent coverage of this critical security flaw.


The Vulnerability Explained

The security flaw, discovered by PCAutomotive, a company specializing in automotive penetration testing, affects 2020 Nissan Leaf models. Their research team uncovered a series of vulnerabilities that allow hackers to gain unauthorized remote access to the vehicle. 

The attack begins with exploiting weaknesses in the car's infotainment system through its Bluetooth connectivity. Once inside the vehicle's internal network, attackers can escalate privileges and establish a command-and-control channel over cellular communications. This means hackers could potentially control your Leaf from anywhere in the world with internet access.

"Security researchers have uncovered significant vulnerabilities in the 2020 Nissan Leaf electric vehicle, demonstrating that attackers could remotely access and control various car functions," explains cybersecurity firm Field Effect in their analysis of the attack.


What Can Hackers Access?

The range of functions accessible to attackers is genuinely concerning. According to PCAutomotive's demonstration at Black Hat Asia 2025, hackers who successfully exploit these vulnerabilities can:

  1. Track the vehicle's location using GPS
  2. Record in-cabin conversations using the car's microphone
  3. Playback audio through the vehicle's speakers
  4. Control various physical functions, including:

   - Horn activation

   - Mirror adjustments

   - Window operation

   - Light flashing

   - Windshield wiper activation

   - Door locking/unlocking

   - Steering wheel manipulation (even while the car is moving)

"The hack allowed for much greater control of the car than just screwing with your infotainment," reports Road & Track. "PCAutomotive goes on to show it can remotely activate the horn, adjust the mirrors, roll the windows down, flash the lights, turn on the wipers and lock/unlock the car, all from afar. The final trick is the biggest, as PCAutomotive is able to turn the wheel of the car while it's both stopped or moving."


Technical Details of the Attack

For those interested in understanding the technical aspects, the attack chain is deep and involves multiple stages:

  1. Initial Access: Exploitation of a stack buffer overflow vulnerability in the Bluetooth Hands-Free Profile (HFP) implementation of the infotainment system
  2. Privilege Escalation: Gaining root access to the vehicle's Linux-based operating system
  3. Persistence: Establishing permanent access through various methods, including SSH server manipulation
  4. CAN Bus Communication: Accessing the vehicle's Controller Area Network to send commands to various electronic control units
  5. Bypassing Gateway Filtering: Overcoming security controls that limit communication between different CAN networks

The vulnerabilities have been assigned eight CVE identifiers (CVE-2025-32056 through CVE-2025-32063) documenting the various security flaws in the system.


Nissan's Response

When contacted about these vulnerabilities, Nissan provided the following statement: "PCAutomotive contacted Nissan regarding its research. While we decline to disclose specific countermeasures or details for security reasons, for the safety and peace of mind of our customers we will continue to develop and roll out technologies to combat increasingly sophisticated cyberattacks."

This response doesn't explicitly confirm whether the vulnerability has been patched in affected vehicles. According to Road & Track, "the initial disclosure of a vulnerability was made to Nissan in 2023, and it's taken until now for PCAutomotive to detail its findings."

Danila Parnishchev, head of security assessment for PCAutomotive, stated: "Unfortunately, PCAutomotive didn't receive remediation details, such as patched software versions or patch IDs. We would be happy to share those details otherwise."


Implications for EV Security

This security breach highlights the growing cybersecurity challenges facing modern connected vehicles, particularly EVs with their extensive digital systems. The ability to remotely control critical vehicle functions raises significant safety concerns for drivers and other road users.

Field Effect notes that "a connected vehicle would be an ideal target for threat actors, from both an espionage perspective and for those looking to cause harm to their occupants, other drivers, and property. The list of actions threat actors could take with a compromised connected car is nearly endless."


What Leaf Owners Should Do

While Nissan has not explicitly confirmed a patch for these vulnerabilities, cybersecurity experts recommend several protective measures for Nissan Leaf owners:

  1. Keep your vehicle's software updated: Ensure you have the latest firmware updates from Nissan.
  2. Limit Bluetooth connectivity: Only pair with trusted devices when necessary.
  3. Be cautious with mobile apps: Use official apps and keep them updated.
  4. Monitor for unusual behavior: Pay attention to any unexpected activity in your vehicle's systems.
  5. Contact your dealer: Ask about security updates specifically addressing these vulnerabilities.

This is not the first time the Nissan Leaf has faced cybersecurity concerns. In 2016, security researchers identified issues with the Nissan Connect app that could allow attackers to access climate controls and driving data. However, the current vulnerabilities represent a significant escalation in potential impact, as they allow direct control of physical vehicle functions.

As vehicles become increasingly connected and software-dependent, the automotive industry faces the challenge of securing complex systems against determined attackers. The Nissan Leaf case underscores the importance of robust security by design in modern vehicles.


This incident serves as a reminder that automotive cybersecurity must be a priority for manufacturers and regulators alike. As we transition to more connected and autonomous vehicles, securing these systems against potential attacks will be crucial for maintaining public safety and trust in new automotive technologies.