A flaw related to a companion app means Nissan Leaf electric cars’ heating and air-conditioning systems can be hijacked, a “prominent” security researcher has discovered.

Troy Hunt told the BBC the flaw also allowed data about drivers’ recent journeys to be spied on. Hunt said he gave the firm a month to fix the issue before he decided to make it public while Nissan said it could not yet comment.

Nissan made much of the app when the Leaf was launched. Among other things it allows remote pre-setting of cabin heating and cooling, battery recharging times (to take advantage of cheaper off-peak electricity rates) and also allows drivers to upload trip data to Nissan and compare results – such as power consumption and vehicle range – with other owners.

Hunt said car owners could protect themselves while the problem remains unsolved by disabling their Nissan CarWings account. Those who have never signed up are not at risk. He added the issue was not life-threatening, but hackers could still exploit the NissanConnect app’s vulnerability by running down people’s batteries by activating the HVAC system in their absence.

“The right thing to do at the moment would be for Nissan to turn it off altogether,” Hunt told the BBC. “They are going to have to let customers know. And to be honest, a fix would not be hard to do. It’s not that they have done authorisation [on the app] badly, they just haven’t done it at all, which is bizarre.”

Hunt said the root of the problem was that the firm’s NissanConnect app needed only a car’s vehicle identification number (VIN) to take control. The code is usually stamped on a plate at the base of a car’s windscreen, making it relatively easy to copy. The initial characters of a VIN refer to the brand, make of car, and country of manufacture/location of the firm’s headquarters. So, Hunt said, it would only be the final numbers that varied between different Nissan Leafs based in the same region.

“Normally it’s only the last five digits that differ,” he said. “There’s nothing to stop someone from scripting a process that goes through every 100,000 possible cars and tries to turn the air conditioning on in every one. They would then get a response that would confirm which vehicles exist.”

Attackers would not even need to use the app, he added, since the commands could be sent via a web browser.

Australia-based Hunt proved his point by using used the VIN number of a Nissan Leaf-owning acquaintance based in the UK. He was able to connect to the friend’s EV and see data about recent journeys.

Further tests indicated that the hack did not work if the vehicle was in motion but it was possible to see the owner’s registered user name which might help reveal their identity, the BBC report said. Times and distances of recent journeys were disclosed, but not location data. As soon as the friend unregistered his app, Hunt could no longer contact his car.