Monday, June 13, 2011

Nissan LEAF Cars Leaks Speed, Position, Destination to RSS Feeds

Via H-Online -

A developer has found that the in-car electronics on the Nissan LEAF all-electric car leaks telemetry information to RSS feeds. The in-car electronics, CARWINGS, allows drivers to access their own selected RSS feeds which are then read to them.

But when Casey Halverson added his own feeds to the system, he found that his Apache server logs held more than just a request for the RSS data. The GET request for the RSS feed also included his latitude, longitude, speed, direction, and destination latitude and longitude.

"All of these lovely values are being provided to any third party RSS provider you configure" writes Halverson; there are no warnings that this information is being sent and it is not possible to disable it. The information is only provided when the RSS feed is requested, so it cannot be used as a vehicle tracker but it does offer real-time snapshots. The IP address shown for the request appears to belong to Hitachi Automotive Systems in Japan, which may indicate that the RSS request is being proxied by a Nissan data center; whether this will make the problem easier to fix is unclear.

Halverson has created a demonstration RSS feed for LEAF drivers which will read back the details that are being leaked. He has also created a "less evil" RSS feed which will give weather information for the car's current location. The issue is a good demonstration of the next generation of privacy problems.


I think Nissan has some serious explaining to do...

Time to pull that Privacy officer out of HR / Marketing and get him/her into the engineering side of the house too ;)

No comments:

Post a Comment