Connected cars are great, as they let you communicate with other systems and devices via the internet, but connectivity opens the door to hacking. As it turns out, hacking a Nissan Leaf isn’t nearly as difficult as it might sound if you’ve got the right tools and the right knowledge.
Researchers from Budapest-based PCAutomotive traveled to Black Hat Asia 2025 to demonstrate how they managed to hack into a 2020 Nissan Leaf. Luckily, they had good intentions—they simply wanted to show that it could be done. Someone with less-than-good intentions could have caused a great deal of damage with the same tools. Most of the parts used to hack into the car were sourced from eBay or a junkyard.
The first part of the project involved building a working test bench around a Leaf touchscreen and the EV’s digital instrument cluster. They then bypassed the anti-theft safeguards by implementing a Python script, which is a programming language, and hacked into the system. The steps taken to break in were detailed in a presentation. They look complicated if you don’t know what you’re dealing with and have no programming experience, but someone with a great deal of programming experience shouldn’t find the process terribly daunting.
When everything was set up, it was time to launch an attack. One of the researchers connected to the Leaf remotely via a laptop while two others were riding in it. The first step was pretty straight-forward: The man with the laptop tracked the Leaf’s movements via GPS. He then recorded the conversation the passengers were having inside the car, downloaded it to his laptop, and played it in the car via the speakers.
Next, things got creepier. Using the same laptop, the researcher sounded the horn, folded the door mirrors, turned on the wipers, and even yanked the steering wheel. He was able to perform these tasks even when the car was moving. The team identified a list of 10 vulnerabilities that allowed it to access the Leaf’s infotainment system and notified Nissan. The company hasn’t responded to the video as of this writing, however.
