Forgive my ignorance...
but if the car has a built-in GSM cellular connection, does that mean the owner/driver get hit with massive roaming charges?
Electric cars manufactured by Nissan surreptitiously leak detailed information about a driver's location, speed and destination to websites accessed through the vehicle's built in RSS reader, a security blogger has found. The Nissan Leaf is a 100-percent electric car that Nissan introduced seven months ago. Among its many …
The cost of the 5 year GSM subscription is built into the cost of the car. Nissan and Telenor Connexion (http://www.telenorconnexion.com/) have a deal in place which means the customer does not have to pay any further costs other than original purchase price.
FWIW, Telenor have a solution for 39 European countries and so you should be able to use your Leaf throughout Europe....now where is my extension cable??
"Hardly anyone will buy the car and for those very few sad folk who do, the 100 metre range before the car needs a full 16 hour deep recharge means that all these RSS sites will get is the rough positions of the three Nissan garages that will stock this woeful vehicle."
That's very amusing.
Just a little short sighted.
"You think the Nissan Leaf is the way forward, the car that will be the saviour of our planet?"
I think expecting some eco freaks wet dream to be the *only* vehicle that will helpfully report *exactly* where they are on request is short sighted.
But it is is one of the first.
I doubt it will be the last.
Oh come on! I'm getting tired of seeing these words every time some product is found doing something it shouldn't be doing. The capability has to be coded in and therefore designed in to the product - especially if, as it seems is the case here, the capability works.
Where's the 'Bullshit' Icon?
I think it was more a case of, oh what would this facecack generation of users love to have on their car... etc.
Personally I have neither a mobile phone (LOVE it) nor a car - so no GPS either.
The wife's phone (android) has location services disabled and if it were up to me, social networking would be disabled by dansguardian.... I did this one day and she went nuts. Apparently the internet is facebook these days.
but anyway, back to the car, I don't think it was done maliciously. They want to SELL cars after all.
GM's Onstar service can pass the same information through a satellite connection from regular vehicles and is installed on MILLIONS of vehicles already.
Big Brother ALREADY knows where you're going, at what speed, and how long it took you to get there, whether you brake or accelerate excessively, had an accident or not.
As such, the police can get all of this info from Onstar or from your onboard computer.
Whether or not GM sells the info on to insurance or advertising agencies, private investigators or "News of the World" is anyones guess.
As part of the US Navy I made many extended stay trips to Japan. Our barracks were cleaned by Japanese. On one occasion in 1961 I left $600 laying on my bed while I took a three day trip. The $600 was on my bed when I got back. Try that in any other country.
The very civilized way the Japanese people behaved after the recent earth quake and tsunami is something only few parts of the United States can match. Ethics is corner stone of being Japanese.
That's my experience base on recurring visits from 1961 to 1993. What's your experience?
Punch line #1: So this mean my car is going to have its own face book page? What happens if it defriends me?
Punch line #2: Forget where you parked your car; was it stolen or want to know where it's been? Google it.
Punch line #3: If it's Microsoft "powered" wait for SP 3 before taking any long trips and double check your configurations otherwise Bing will be enabled, whether you want it or not.
OK, I'm bored now.
"Each time the driver accesses a given RSS feed, the car's precise geographic coordinates, speed, and direction are sent in clear text. The data will also include the driver's destination if it's programmed in to the Leaf's navigation system, as well as data available from the car's climate control settings."
1. None of these are particularly sensitive pieces of information to begin with, unless you're REALLY paranoid. The worst one I can see is programmed destination, and then only if you're doing something really embarrassing.
2. This is likely a programming oversight (i.e, dev 1 wrote a function to send HTTP requests for the emergency function, dev 2 (or even 1 again) re-used it without thinking about the additional data being sent.) While this is not a good thing, Nissan should be able to (and just should) provide a means for users to get a firmware update that fixes this.
3. Bear in mind that this data is only sent to sites you've subscribed to, WHEN YOU REQUEST THEM. So it doesn't provide real-time tracking, only datapoints telling providers when and where you're looking at their data. So only add feeds you trust, and only check your RSS feeds when you're sitting stil at an innocuous location, and don't have your mistresses' locations programmed into your GPS, and you're fine. If you're really worried, just don't use the CarWings feature at all.
4. I certainly hope SPEED is 0 while you're fiddling with the RSS feeds. If not, kindly hit the nearest obstacle that won't cause any harm to the rest of us and shuffle off, won't you? There's a good chap.
Cue the downvotes and FAIL icons from people who haven't read and comprehended the article and/or the original blog post and don't get how easy it is to avoid this info being sent to begin with.
Yay! A commenter who seems to understand the article.
However, I would pick a small nit - I believe that the location data is not sent as part of an emergency function but to do with extra features that the car will regularly get fed data about.
The way I suspect that it happened is that a feature was thought up to give regular info to the car/driver about the driving stats and it was also thought desirable to be able to check the same stats from your home PC. Someone then came up with the idea of supplying the data in the form of an RSS feed as lots of code already exists to handle these. This also added the wizzo feature that the car could receive other RSS feeds such as news and weather. At some point someone realised that you could tag extra info into the RSS request to make the send-info-to-server and read-stats-in-car part of the same data exchange. Some silly sod then forgot to code it so the extra data ONLY went on the Nissan RSS request.
But you do realize the irony is that while you're saying "Meh... no big deal..." you do realize that if this were the US or Brit government doing this... you and 100 other commentards would be screaming bloody murder.
People are more forgiving of large corporations snooping in on their private lives than if the incompetent bureaucratic governments did so. Unfortunately in this ignorance many forget the potential harm that can occur.
The bigger problem which obviously you seem to ignore is that when companies think about adding benefits and features to their products, they don't think enough about security. Its always a rush to be first to market and security is always an after thought. Oh wait, you did think about it because you gloss over this point in your #2 argument. "A programming oversight". Yeah right.
(And actually you are right because the developers/architects don't bother to think beyond meeting the stated functional spec.)
For those smug* enough to own a Leaf, it would be one thing for Nisan to say that they are capturing your car's telemetry so that they can better research and understand your driving habits and use it to improve the next generation of electric cars, however, not saying it, or allowing you to opt-out of the data capture is another thing.
And the reason I call the drivers of Leaf's smug is that many of them are purchasing/leasing the vehicles because the want to help save the environment. So what they end up doing is increasing the amount of electricity required to be generated, yet voting down and not supporting nuclear energy which is the cleanest and most efficient method of producing energy and can keep up with the increased demand. But that's a different rant. ;-)
"But you do realize the irony is that while you're saying "Meh... no big deal..." you do realize that if this were the US or Brit government doing this... you and 100 other commentards would be screaming bloody murder."
On the contrary, I would LOVE it if the government only collected about a dozen relatively unimportant pieces of information about me, and did so only when I accessed a completely optional feature of a non-critical add-on to a device I would use only sparingly to begin with.
I agree with your assessment of the real problem. I said "no big deal" about the effects, not about the cause. Sorry if that didn't come across.
I also want to acknowledge that Gettin Sadda is correct in that the feature I mentioned that is at the heart of this is not an emergency feature, but an informational one.
Finally, I'd like to mention that Nissan DOES tell customers that they are capturing the car's telemetry and provide an opt-out. They even go so far as making it happen every time on startup. See http://seattlewireless.net/~casey/?p=97&cpage=1#comment-7956 for reference. They don't tell customers that they're sharing that with every site (as I said before, probably because they didn't intend to), though, which is where the problem mentioned here comes up.
Well let's see
Nissan made *no* mention of this to their customers, but you do wonder if they did sell it as a "feature" to web site owners.
There is *no* opt out. You (the *customer*) have *no* choice in this information being coughed up.
It is an *automatic* opt in. Or did they think that (like Phorn) drivers are too stupid to understand the tech and make "informed" decisions?
"Trusted" websites. I "trust" a web site to do a certain thing or give me certain information.
That is as far as my "trust" goes with *any* web site. WTF would *I* want any random website to know where I was (which is essentially what this does).
It's Facebook on wheels, *without* the privacy options.
No need to ask. No need to know.
"There is *no* opt out. You (the *customer*) have *no* choice in this information being coughed up."
I am genuinely surprised that there are still people this dumb commenting on El Reg.
Do you have no capacity for reading? If you don't want the data broadcast, DON'T USE THE FEATURE. Either don't use their stupid (and probably useless) software, or don't read RSS feeds on the cars display...
Read the whole article before you comment.
"I am genuinely surprised that there are still people this dumb commenting on El Reg."
You're rather easily surprised then, and quite trusting as well.
"Do you have no capacity for reading? If you don't want the data broadcast, DON'T USE THE FEATURE. Either don't use their stupid (and probably useless) software, or don't read RSS feeds on the cars display..."
For those who have trouble parsing English.
My statement about no opt out was based on the assumption that a driver *wanted* RSS in the first place. That was *implied* but not stated.
It would appear you read English like parsing a functional language and you need *all* the implications spelled out.
Mixing up this information (which has *nothing* to do with the users desires) is the equivalent of Microsofts claim that Internet Explorer was an intimate part of Windows and could not be removed.
This also was nonsense.
I trust I have resolved any ambiguities you persist in having.
Andrew, not using a feature of the car is not the same thing as opting out of having your telemetry captured.
As another reader pointed out, OnStar captures your car's telemetry, but its kept private until there's either your authorization to allow the police to access it, or the police contact Onstar with a LE sub.
If you want to read El Reg while driving, you should use your phone like everyone else does.
And does this mean we're going to get a Lewis Page article about the evil and hypocritical etc etc tree-hugging driving habits of Leaf owners based on data from El Reg's RSS snoop feed?
[blank because there's no icon for Incoming]
A car that automatically tells the police whenever you exceed the speed limit? Wouldn't that be a terrible invasion of the inalienable human rights of selfish, reckless, moronic, antisocial petrolheads? I should fucking-well hope so.
Sadly, it would simply spawn a new industry of speed-spoofing hacks. Also, I can't see the likes of Ferrari voluntarily incorporating this technology into their products anytime soon.
Software currently running on almost all North American cellco networks is good for an accuracy of less than 3 metres. Remember, they can use more than 3 tower arrays to pinpoint a wanted cell's location.
Only local very ow power re-broadcast units can lessen this software's accuracy which is why ATT wants femcels to have GPS in them.