June 13, 2011 at 17:43Nissan Leaf car gives its coordinates to any RSS provider
It seems that in the future we will have to put a firewall not only on each personal computer, but also on a personal car. At least, the approach to information security that car manufacturers are now demonstrating is not at all pleasing.
For example, see how the Carwings information system in the Nissan Leaf works . Firstly, the car maintains a permanent Internet connection. Secondly, the built-in program for reading RSS feeds connects to the Carwings web service, which provides the coordinates of your car to a third-party RSS data provider. This is so that you can receive personalized RSS-services like weather forecasts in the region where you are.
But what’s interesting is that when you subscribe to any channel (for example, CNN news) for some reason your exact coordinates are sent to the data provider.
One of the lucky owners of the Nissan Leaf car set up RSS export on its own server, just to learn the mechanism of how the coordinates are transmitted. In the Apache logs, he found such requests (specific coordinates erased):
As you can see, directly in the HTTP GET parameters, the request contains the current vehicle coordinates (lat and lon), current speed (speed), direction of travel (car_dir) and the destination coordinates from the car navigation system (lat_dst and lon_dst).
It is clear that the car manufacturer wants to constantly monitor this information (at least they are unlikely to ever give up this opportunity), plus they can share this data with law enforcement authorities upon request, but why give it out to everyone? Very sensitive information is given to a third-party RSS provider, and in fact it can be absolutely any site on the Internet.
What the “data leak” from the car interior looks like is shown in the video below.
In other words, it would be nice to put an ordinary firewall on this Nissan Leaf that would block the sending of coordinates via the Internet. But now this cannot be done: such firewalls do not exist, and it is impossible to disable the standard coordinate transfer function with Nissan Leaf. Flashing firmware is illegal and may result in loss of warranty for the car. The question is, are car manufacturers aware of the problem or are completely different standards for information protection applicable for them, not the same as in the computer industry?
For example, see how the Carwings information system in the Nissan Leaf works . Firstly, the car maintains a permanent Internet connection. Secondly, the built-in program for reading RSS feeds connects to the Carwings web service, which provides the coordinates of your car to a third-party RSS data provider. This is so that you can receive personalized RSS-services like weather forecasts in the region where you are.
But what’s interesting is that when you subscribe to any channel (for example, CNN news) for some reason your exact coordinates are sent to the data provider.
One of the lucky owners of the Nissan Leaf car set up RSS export on its own server, just to learn the mechanism of how the coordinates are transmitted. In the Apache logs, he found such requests (specific coordinates erased):
61.202.253.100 - - [12/Jun/2011:16:19:39 -0600] “GET /rss.php?lat=47.xxxxxxxxxxxxx
&lon=-122.yyyyy&lat_dst=47.xxxxxxxxxxxxx
&lon_dst=-122.yyyyyyyyyyyy
&lat_1=&lon_1=&lat_2=&lon_2=&lat_3=&
lon_3=&lat_4=&lon_4=&lat_5=&lon_5=&car_dir=212&speed=0
&language_navi=use
&navi_set_t_zone=-8.00&navi_set_dst_d=mile&navi_set_tmp_d=F
&navi_set_e_mlg_d=mile/kwh
&navi_set_spd_d=mile/h& HTTP/1.1″ 200 641 “-” “Mozilla/5.0 (compatible;
NISSAN CARWINGS; http://lab.nissan-carwings.com/CWC/)”As you can see, directly in the HTTP GET parameters, the request contains the current vehicle coordinates (lat and lon), current speed (speed), direction of travel (car_dir) and the destination coordinates from the car navigation system (lat_dst and lon_dst).
It is clear that the car manufacturer wants to constantly monitor this information (at least they are unlikely to ever give up this opportunity), plus they can share this data with law enforcement authorities upon request, but why give it out to everyone? Very sensitive information is given to a third-party RSS provider, and in fact it can be absolutely any site on the Internet.
What the “data leak” from the car interior looks like is shown in the video below.
In other words, it would be nice to put an ordinary firewall on this Nissan Leaf that would block the sending of coordinates via the Internet. But now this cannot be done: such firewalls do not exist, and it is impossible to disable the standard coordinate transfer function with Nissan Leaf. Flashing firmware is illegal and may result in loss of warranty for the car. The question is, are car manufacturers aware of the problem or are completely different standards for information protection applicable for them, not the same as in the computer industry?