Electric cars manufactured by Nissan surreptitiously leak detailed information about a driver's location, speed and destination to websites accessed through the vehicle's built in RSS reader, a security blogger has found. The Nissan Leaf is a 100-percent electric car that Nissan introduced seven months ago. Among its many …
Forgive my ignorance...
but if the car has a built-in GSM cellular connection, does that mean the owner/driver get hit with massive roaming charges?
massive roaming charges?
Nah, the cost (borne by them) is offset by all that lovely information they're getting. Just like a 3G kindle. GSM so it's probably sent over the SACCH (like a text) as and when.
Only if the car had sufficient range to get you 'abroad'.
RE: Massive roaming charges
The cost of the 5 year GSM subscription is built into the cost of the car. Nissan and Telenor Connexion (http://www.telenorconnexion.com/) have a deal in place which means the customer does not have to pay any further costs other than original purchase price.
FWIW, Telenor have a solution for 39 European countries and so you should be able to use your Leaf throughout Europe....now where is my extension cable??
Not that big a deal
Hardly anyone will buy the car and for those very few sad folk who do, the 100 metre range before the car needs a full 16 hour deep recharge means that all these RSS sites will get is the rough positions of the three Nissan garages that will stock this woeful vehicle.
"Hardly anyone will buy the car and for those very few sad folk who do, the 100 metre range before the car needs a full 16 hour deep recharge means that all these RSS sites will get is the rough positions of the three Nissan garages that will stock this woeful vehicle."
That's very amusing.
Just a little short sighted.
You think the Nissan Leaf is the way forward, the car that will be the saviour of our planet?
A little short sighted.
"You think the Nissan Leaf is the way forward, the car that will be the saviour of our planet?"
I think expecting some eco freaks wet dream to be the *only* vehicle that will helpfully report *exactly* where they are on request is short sighted.
But it is is one of the first.
I doubt it will be the last.
Oh come on! I'm getting tired of seeing these words every time some product is found doing something it shouldn't be doing. The capability has to be coded in and therefore designed in to the product - especially if, as it seems is the case here, the capability works.
Where's the 'Bullshit' Icon?
Or are they saying they (or their suppliers) employ completely incompetent idiots for programmers and/or testers (if they do test the stuff), who don't even know what they are putting in the code?
Is this really any surprise?
Our privacy will slowly be eroded by stealth, we're obsessed by gadgets and the more we buy the easier it is for "them" to gather more info about us.
Excuse me, I have to line my garden shed with tin foil and finish my tinfoil suit...
Don't really think this was malicious mate
I think it was more a case of, oh what would this facecack generation of users love to have on their car... etc.
Personally I have neither a mobile phone (LOVE it) nor a car - so no GPS either.
The wife's phone (android) has location services disabled and if it were up to me, social networking would be disabled by dansguardian.... I did this one day and she went nuts. Apparently the internet is facebook these days.
but anyway, back to the car, I don't think it was done maliciously. They want to SELL cars after all.
How much bakofoil does it take to make an alu-beanie for a whole car?
It's easy to imagine Carwings becoming
a privacy liability for users whose whereabouts are sensitive, such as those who work with survivors of domestic abuse or those in law enforcement.
Or those with a home which can be burgled, perhaps?
the solution to that is to not buy the thing inthe first place,if you have a sensitive job or not use it for bussines or call your self some thing else.Simples.Where is the irritating mongoose so I can throttle it.
Except that relies on *knowing* it's doing that.
Everyone who already owns (rents?) a Leaf did not know that.
Everyone who doesn't read El Reg or Seattle Wireless still does not know that.
Do you see the problem yet?
"a home which can be burgled"
that's a point. I can see it now: a crimewave in which the solar panels and wind turbines of Leaf early adopters are stolen while they are out, whirring along towards the Community Action on Styrofoam Symposium ...
What do you think GM's Onstar does already?
GM's Onstar service can pass the same information through a satellite connection from regular vehicles and is installed on MILLIONS of vehicles already.
Big Brother ALREADY knows where you're going, at what speed, and how long it took you to get there, whether you brake or accelerate excessively, had an accident or not.
As such, the police can get all of this info from Onstar or from your onboard computer.
Whether or not GM sells the info on to insurance or advertising agencies, private investigators or "News of the World" is anyones guess.
Onstar is why I don't own, and will NEVER own, a GM
And thanks to their sneaking this new spying technology under the nose of their own customers, why I won't buy a Nissan. ANY Nissan.
Way to go, guys.
Fair point. I'm already shopping for a nicely restored half-timbered morris oxford.
The Japanese are
Therefore I'll reserve scrution for the time being.
are you sure?
As part of the US Navy I made many extended stay trips to Japan. Our barracks were cleaned by Japanese. On one occasion in 1961 I left $600 laying on my bed while I took a three day trip. The $600 was on my bed when I got back. Try that in any other country.
The very civilized way the Japanese people behaved after the recent earth quake and tsunami is something only few parts of the United States can match. Ethics is corner stone of being Japanese.
That's my experience base on recurring visits from 1961 to 1993. What's your experience?
means circumspect, hard to read. Not anything to do with honesty. My own experience of the Japanese is much like yours - tirelessly polite, honourable but sometimes overly concerned with hierarchy and deference.
My pet theory is that any culture that has a long and successful history of violence/warfare tends towards being incredibly polite ... causing offence could be a fatal error ;)
inscrutable != unscrupulous
there are many good "word a day" services useful for catching up on missing educational opportunities (ie reading)
So, first we learn that French intelligence gets the details of UK servicemen, then this. May I remind you that Nissan is almost half owned by Renault, itself partly owned by France.gov? Coincidence? I think not!
Now where's that tinfoil hat icon when you need it?
Tinfoil hat #2
As horridly intrusive as this tech is, it's equally concerning to see that the earlier story about Royston's ANPR systems seems to have been taken down. The story that featured how the website objecting to that system had seem to have been taken down too, ironically.
Had me going for a moment. I remembered reading it but wasn't sure if it was on the Reg or the BBC news site. Anyway, it's just gone from the front page (interesting editorial decision, that). It is still there under 'Public Sector/Policing'.
Wait for it....
Punch line #1: So this mean my car is going to have its own face book page? What happens if it defriends me?
Punch line #2: Forget where you parked your car; was it stolen or want to know where it's been? Google it.
Punch line #3: If it's Microsoft "powered" wait for SP 3 before taking any long trips and double check your configurations otherwise Bing will be enabled, whether you want it or not.
OK, I'm bored now.
Punch line #1a
Won't start? Poke it!
Okay, tinfoil hats off for a second here...
"Each time the driver accesses a given RSS feed, the car's precise geographic coordinates, speed, and direction are sent in clear text. The data will also include the driver's destination if it's programmed in to the Leaf's navigation system, as well as data available from the car's climate control settings."
1. None of these are particularly sensitive pieces of information to begin with, unless you're REALLY paranoid. The worst one I can see is programmed destination, and then only if you're doing something really embarrassing.
2. This is likely a programming oversight (i.e, dev 1 wrote a function to send HTTP requests for the emergency function, dev 2 (or even 1 again) re-used it without thinking about the additional data being sent.) While this is not a good thing, Nissan should be able to (and just should) provide a means for users to get a firmware update that fixes this.
3. Bear in mind that this data is only sent to sites you've subscribed to, WHEN YOU REQUEST THEM. So it doesn't provide real-time tracking, only datapoints telling providers when and where you're looking at their data. So only add feeds you trust, and only check your RSS feeds when you're sitting stil at an innocuous location, and don't have your mistresses' locations programmed into your GPS, and you're fine. If you're really worried, just don't use the CarWings feature at all.
4. I certainly hope SPEED is 0 while you're fiddling with the RSS feeds. If not, kindly hit the nearest obstacle that won't cause any harm to the rest of us and shuffle off, won't you? There's a good chap.
Cue the downvotes and FAIL icons from people who haven't read and comprehended the article and/or the original blog post and don't get how easy it is to avoid this info being sent to begin with.
Re: Steven Knox
Yay! A commenter who seems to understand the article.
However, I would pick a small nit - I believe that the location data is not sent as part of an emergency function but to do with extra features that the car will regularly get fed data about.
The way I suspect that it happened is that a feature was thought up to give regular info to the car/driver about the driving stats and it was also thought desirable to be able to check the same stats from your home PC. Someone then came up with the idea of supplying the data in the form of an RSS feed as lots of code already exists to handle these. This also added the wizzo feature that the car could receive other RSS feeds such as news and weather. At some point someone realised that you could tag extra info into the RSS request to make the send-info-to-server and read-stats-in-car part of the same data exchange. Some silly sod then forgot to code it so the extra data ONLY went on the Nissan RSS request.
@Steve Knox... no tinfoil here...
But you do realize the irony is that while you're saying "Meh... no big deal..." you do realize that if this were the US or Brit government doing this... you and 100 other commentards would be screaming bloody murder.
People are more forgiving of large corporations snooping in on their private lives than if the incompetent bureaucratic governments did so. Unfortunately in this ignorance many forget the potential harm that can occur.
The bigger problem which obviously you seem to ignore is that when companies think about adding benefits and features to their products, they don't think enough about security. Its always a rush to be first to market and security is always an after thought. Oh wait, you did think about it because you gloss over this point in your #2 argument. "A programming oversight". Yeah right.
(And actually you are right because the developers/architects don't bother to think beyond meeting the stated functional spec.)
For those smug* enough to own a Leaf, it would be one thing for Nisan to say that they are capturing your car's telemetry so that they can better research and understand your driving habits and use it to improve the next generation of electric cars, however, not saying it, or allowing you to opt-out of the data capture is another thing.
And the reason I call the drivers of Leaf's smug is that many of them are purchasing/leasing the vehicles because the want to help save the environment. So what they end up doing is increasing the amount of electricity required to be generated, yet voting down and not supporting nuclear energy which is the cleanest and most efficient method of producing energy and can keep up with the increased demand. But that's a different rant. ;-)
@Ian Michael Gumby
"But you do realize the irony is that while you're saying "Meh... no big deal..." you do realize that if this were the US or Brit government doing this... you and 100 other commentards would be screaming bloody murder."
On the contrary, I would LOVE it if the government only collected about a dozen relatively unimportant pieces of information about me, and did so only when I accessed a completely optional feature of a non-critical add-on to a device I would use only sparingly to begin with.
I agree with your assessment of the real problem. I said "no big deal" about the effects, not about the cause. Sorry if that didn't come across.
I also want to acknowledge that Gettin Sadda is correct in that the feature I mentioned that is at the heart of this is not an emergency feature, but an informational one.
Finally, I'd like to mention that Nissan DOES tell customers that they are capturing the car's telemetry and provide an opt-out. They even go so far as making it happen every time on startup. See http://seattlewireless.net/~casey/?p=97&cpage=1#comment-7956 for reference. They don't tell customers that they're sharing that with every site (as I said before, probably because they didn't intend to), though, which is where the problem mentioned here comes up.
I hate to be the the one breaking it to you, but you're no fun. Like, at all.
i can see it now
the gubmint will be giving these cars away to those they want to track even more closely than now. eedjets
So no need to worry?
Well let's see
Nissan made *no* mention of this to their customers, but you do wonder if they did sell it as a "feature" to web site owners.
There is *no* opt out. You (the *customer*) have *no* choice in this information being coughed up.
It is an *automatic* opt in. Or did they think that (like Phorn) drivers are too stupid to understand the tech and make "informed" decisions?
"Trusted" websites. I "trust" a web site to do a certain thing or give me certain information.
That is as far as my "trust" goes with *any* web site. WTF would *I* want any random website to know where I was (which is essentially what this does).
It's Facebook on wheels, *without* the privacy options.
No need to ask. No need to know.
For crying out loud
"There is *no* opt out. You (the *customer*) have *no* choice in this information being coughed up."
I am genuinely surprised that there are still people this dumb commenting on El Reg.
Do you have no capacity for reading? If you don't want the data broadcast, DON'T USE THE FEATURE. Either don't use their stupid (and probably useless) software, or don't read RSS feeds on the cars display...
Read the whole article before you comment.
"I am genuinely surprised that there are still people this dumb commenting on El Reg."
You're rather easily surprised then, and quite trusting as well.
"Do you have no capacity for reading? If you don't want the data broadcast, DON'T USE THE FEATURE. Either don't use their stupid (and probably useless) software, or don't read RSS feeds on the cars display..."
For those who have trouble parsing English.
My statement about no opt out was based on the assumption that a driver *wanted* RSS in the first place. That was *implied* but not stated.
It would appear you read English like parsing a functional language and you need *all* the implications spelled out.
Mixing up this information (which has *nothing* to do with the users desires) is the equivalent of Microsofts claim that Internet Explorer was an intimate part of Windows and could not be removed.
This also was nonsense.
I trust I have resolved any ambiguities you persist in having.
Andrew, not using a feature of the car is not the same thing as opting out of having your telemetry captured.
As another reader pointed out, OnStar captures your car's telemetry, but its kept private until there's either your authorization to allow the police to access it, or the police contact Onstar with a LE sub.
OnStar keeps your data private.
Until anyone asks.
WHy do you need rss feeds in your car in the first place? Call me old fashioned but shouldn't drivers be concentrating on the road?
Also, just don't subscribe to any feeds if you value your privacy. Simples.
If you want to read El Reg while driving, you should use your phone like everyone else does.
And does this mean we're going to get a Lewis Page article about the evil and hypocritical etc etc tree-hugging driving habits of Leaf owners based on data from El Reg's RSS snoop feed?
[blank because there's no icon for Incoming]
The next step
A Car that sends your speed / location / direction data to police servers to automatically get a ticket printed and served to you from a cd looking slot in the radio.
It ain't all that far.
This ain't no Tesla.
(and does even a Tesla have enough juice to break the speed limit between 2 consecutive average speed cameras? How did TopGear come off against Elon?)
Oh, yes please.
A car that automatically tells the police whenever you exceed the speed limit? Wouldn't that be a terrible invasion of the inalienable human rights of selfish, reckless, moronic, antisocial petrolheads? I should fucking-well hope so.
Sadly, it would simply spawn a new industry of speed-spoofing hacks. Also, I can't see the likes of Ferrari voluntarily incorporating this technology into their products anytime soon.
"Precise" Geographic Coordinates?
Does it have a built-in GPS, or is it just using cell tower info (in which case, it's not really precise at all)?
Since the letters G, P & S appear consecutively...
...in the article, AND the car's list of features includes "GPS navigation", i'd say yes.
However, I do suspect that precision is not QUITE the submilimetric resolution of the coordinates shown in the video.
"it's not really precise at all" you wish!
Software currently running on almost all North American cellco networks is good for an accuracy of less than 3 metres. Remember, they can use more than 3 tower arrays to pinpoint a wanted cell's location.
Only local very ow power re-broadcast units can lessen this software's accuracy which is why ATT wants femcels to have GPS in them.
the real risk here
is that a terrorist can get an easy lock with their smug-seeking missiles.