Security researchers have uncovered severe vulnerabilities in the 2020 Nissan Leaf, showing how the car can be remotely tracked, surveilled, and physically controlled in a disturbing escalation, including its steering system.
The demonstration by the Hungarian firm PCAutomotive at the Black Hat Asia 2025 conference revealed that the attack required no sophisticated hardware. Instead, the team used readily available tools and an expert understanding of the Leaf’s software to compromise the vehicle.
‘Hacked by PCAutomotive’
Working through the car’s infotainment system, the researchers began with a Bluetooth exploit, moved laterally through internal networks, and ultimately established persistent control via the vehicle’s cellular connection. This gave them full access to the car over the internet.
In a live demo, the hackers displayed a chilling level of access. They located the vehicle through GPS, hijacked the dashboard display with a ‘Hacked by PCAutomotive’ banner, and used the onboard microphone to record conversations, which they later replayed through the vehicle’s speakers – all without needing to be physically near the car.
The intrusion extended further. The researchers manipulated physical components: mirrors, windows, lights, wipers, locks, and the horn. Most alarmingly, they remotely turned the steering wheel when the car was parked and moving. While throttle and braking remained out of reach, the ability to influence steering alone raises profound questions about driver safety.
Nissan, when approached for comment, offered little reassurance. “PCAutomotive contacted Nissan regarding its research,” a spokesperson said. “While we decline to disclose specific countermeasures or details for security reasons, for our customers’ safety and peace of mind, we will continue to develop and roll out technologies to combat increasingly sophisticated cyberattacks.”
That vagueness has not gone unnoticed. PCAutomotive’s lead researcher, Danila Parnishchev, said the company had received no indication that the vulnerabilities had been patched. “We would be happy to share those details otherwise,” he added.
Lack of software experience?
The episode highlights a persistent issue in modern vehicle manufacturing: traditional automakers are increasingly building connected, software-heavy vehicles without the corresponding expertise in cybersecurity. The attack surface has grown, but defences have not kept pace.
This isn’t the Leaf’s first brush with insecurity. In 2016, researchers exploited flaws in its companion app to alter climate settings remotely. The year before, a separate hack of a Jeep Cherokee allowed attackers to turn off the car’s transmission on a highway – a breach that prompted a recall of 1.4 million vehicles.
For Nissan Leaf drivers—and anyone behind the wheel of a modern connected vehicle—the demonstration is a stark reminder that the more software runs the car, the more its control may be at stake.
