back to article Nissan EV app password reset prompts user panic

Nervous Nissan UK drivers were today assured by the car maker that Connect EV app log-in failures are related to a migration of data onto a new platform rather than anything more nefarious. Customers contacted The Reg after receiving what one described as a slew of password resets and some speculated on the potential cause. …

  1. Peter Galbavy

    ... or cover-up?

    Cock-up or conspiracy... yes, I'll also go with cock-up every-time, but in this case it's more likely cover-up. Nissan has a history of sticking fingers in corporate ears and singing "la la la" lots. There may not have been a data breach per se, but I suspect some white-hat or internal programmer told them of a hole and they went ape to close it and fix, but telling customers is the last thing on their minds.

    Until they make a non-weasel worded public statement that is clear enough to not be able to offer wriggle room later, then it's still a typical Nissan cover-up.

    1. Waseem Alkurdi Silver badge

      Re: ... or cover-up?

      Exactly. Tell customers and risk a backlash? Hell no, especially when you have Tesla (hype grandmaster) as competition.

  2. Timmy B Silver badge

    The worst thing about owning an EV (we have a Leaf) is the app. The software is terrible, slow and buggy. There are some 3rd party versions that are a little better - but not much. We frequently have issues getting the car to pre-heat (something important on very cold days as it can add sizable range) so have learned to set the pre-heat using the timer the night before. I don't think this is a cover up - I think they are just rubbish on the software front.

    Everything else about having an EV is great.

    And amusing you chose to post a Juke engine bay. We have one of those too....

    1. John Brown (no body) Silver badge

      " I don't think this is a cover up - I think they are just rubbish on the software front."

      Now, I do understand that the app is not part of the safety critical systems, but you'd think companies such as car manufactures dealing day in, day out with safety critical system would at least apply similar work practices if not the same stringent testing principles to everything they do.

      1. Oneman2Many

        You will probably find that thankfully safety critical are generally developed by suppliers and are closed systems working with very small number of functionality requirements.

    2. werdsmith Silver badge

      Connect is not too great on the non-EV Datsuns too, my last car was a Datsun, I set up Connect on the first day, tried it and never bothered with it again.

    3. Moog42

      Agreed

      I found it unbelievable that Renault (for my old Zoe) was able to build an app that ALWAYS worked, yet Nissan built this absolute shower. I have the new LEAF, the car is great, the connectivity just pants. i haven't bothered to reset my credentials yet as all the posts seem to indicate it's just junked itself.

    4. Waseem Alkurdi Silver badge

      Probably outsourced, possibly to a neighboring country known for its spicy food, or another one known for, well, Chinese food?

      Can't somebody reverse-engineer the Connect API?

      Especially the car part?

      And where are the FOSS advocates when we need them? xD

  3. DJV Silver badge

    I call bollocks!

    I've moved whole web sites to different hosts where the website data contained encrypted passwords and that didn't require any such reset. Properly salted encrypted passwords contain all the information needed to determine the encryption used, even where several are in use on the same set of data. This means that there's no need to force a reset whatsoever.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: I call bollocks!

      I call one bollock.

      Migrated to a new system, might have changed the encryption, and it doesn't hurt to get people to update their passwords, and eliminate badly-secured dormant accounts in the process.

  4. Tom 38 Silver badge

    To give the benefit of doubt

    I can see (slightly) valid reasons for forcing a password reset like this. If the original system stored passwords insecurely (say, unsalted md5 hash), on auditing the system you might decide not to migrate the old passwords over, in case of a potential future breach that exposed passwords for users that did not log in inbetween the upgrade and the breach.

    Otherwise, you would simply upgrade to the desired hashing algorithm as soon as someone logs in with their valid password.

    1. Dan 55 Silver badge

      Re: To give the benefit of doubt

      And it also seems they are relying on Google pushing out the new version of the app to everyone, at the same time, on the day the backend is migrated, and everyone being able to update, which probably isn't going to happen either.

      Which is also what happened with TSB's migration.

    2. Peter Galbavy

      Re: To give the benefit of doubt

      I would agree except that the app stopped working with no notice and it took two weeks or more for them to issues a phishing-looking e-mail saying "click on this link to reset your password". If they knew they and were doing a controlled migration they would have sent out a notice saying "as of Nth Jan you will need to login to the web site and change your password" or similar.

  5. AS1
    Trollface

    Master control program

    Nothing to do with the MCP being unavailable?

  6. Jonathon Green

    They’ve already had a security “moment” with an earlier version of this app.

    If I recall correctly (it was a couple of years or so ago and I’m not a web programmer) once you’d authenticated with the server with valid credentials it issued some kind of persistent (and quite long lived) authentication token, and you could then issue requests using that authentication token but with the VIN of a different car to acesss State of Charge, driving records, and potentially location data.

    It would be disappointing if they’d made another cock-up like that (or been forced to make customers update passwords in order to prevent the possibility of a similar cock-up) but in view of the, errr... “disappointing” nature of the Nissan Connect offering (it’s appallingly sluggish, frequently unavailable, and has a bloody awful UI) it wouldn’t be entirely surprising.

    This is a shame since (as others have suggested) being able to check charge status, fire up the climate control and even interrogate vehicle location is jolly useful...

  7. StewartWhite

    The Nissan Connect is, and always has been, shockingly bad - so bad that I wouldn't trust the information it returns and I certainly wouldn't expect Nissan to take app privacy/security seriously given that they can't be bothered to fix problems that have been known about since at least when I bought a Leaf two years ago.

    I agree with other posters - the car itself is great, the app is appalling rubbish that should never have been allowed to escape from the lab.

  8. drand
    Coat

    Juke hazard

    I came here to pointout that picture is of a Nissan Juke, but someone's got there first. While I'm not a fan of downsized turbocharged engines with a high boost threshold and boring torque plateau, I think in the context of EV's the Juke does qualify as having a 'proper engine'. Nissan CG series all the way for me. And yes, I am wearing an anorak, which I shall fetch forthwith and leave.

    Edit - picture title even has 'Juke' in it so maybe I don't deserve as many i-spy points as I first thought.

    1. Alistair Silver badge
      Windows

      Re: Juke hazard

      I've never worried about the juke hazard. I just regard all Nissans as a hazard in general. Anything manufactured after they changed names.....

      1. Fruit and Nutcase Silver badge
        Paris Hilton

        Re: Juke hazard

        I've never worried about the juke hazard.

        Reboot of "Dukes of Hazzard" as "Jukes of Hazzard" with a Nissan Juke taking the place of the Dodge Charger, and a Union Jack on the roof to side-step the Confederate Flag issue. The change of flag means it's a change of location to a county in Blighty - Essex???

        Paris - Daisy

        1. Waseem Alkurdi Silver badge
          Coat

          Re: Juke hazard

          But could this possibly infringe on the Union Jack Mini Cooper design?

          (I know, getting my coat)

  9. Anonymous Coward
    Anonymous Coward

    “There has been no data breach,”

    but rest assured, WHEN it comes, they'll be extremely sorry and naturally, rest assured they take the privacy and data protection of their customers with utmost seriousness.

  10. Pascal Monett Silver badge
    Trollface

    Hey, it's a car maker

    Cut Nissan some slack, it's not like they can hire competent programmers and consultants to paint them a picture of how the world actually works...

    1. AndrueC Silver badge
      Meh

      Re: Hey, it's a car maker

      Yup. Another example of a 'hardware manufacturer' not understanding how to create good software. Honda are no better.

  11. Keith Oborn

    App and website been out for a week

    App says "Use ID / Password invalid"

    Website says "please enter user ID and password"

    Forgotten password link never sends reset email

    Attempt to register an account says "server error"

    Been like that for a week now.

  12. DCFusor Silver badge

    I have a Volt, myself. The GM app stank also, I quit using it for anything myself long ago. the car itself is fantastic - at least the USB jack lets me play regular music files and I no longer have to have iTunes format (like the 2010 Camaro demanded). But of course, no plain old aux jack and bluetooth bugs that run the battery down(!) - and also give bluetooth quality sound, along with Sirius which of course anyone sane gets off of as quick as they can, finding out that like with Verizon, once they have your CC number it's really, really, near impossible to stop their billing robot. OnStar, one year's worth cost triple what a standalone GPS does at least lets you cancel gracefully - kind of, they can still track you by radio.

    To me, the real issue is that car manufacturers all want to be Apple, lock you into their walled garden, but not even lift the fingers to innovate and update that even now-boring Apple does. I mean, upgrading an overpriced phone with nothing really new in it every couple years is bad enough....Cars still have 4 wheels and some of us just want to get there. A little sporty or luxury is nice, but...trying to be what they cannot be is just stupid.

    Cars, north of $30,000, almost never get updates, never upgrades, can't have their now-vast networks of internal computer hardware updated or even replaced - try to do something with the audio system for example - now it's also all the bing-bong alerts, your hands-free cellphone and a bunch of other stuff and no car stereo shop will have anything to do with it - and neither can you. Even if you're a real EE, as I play on TV - I have other things to make a life's work of.

    And then they wonder why sales are down (other than all our governments obvious lies about the economy catching up with them too). The more people burned, and I know a few myself, the less people are going to pay real serious money - > 50+ iphones, really? - to get caught up in this web of crap and get a minor upgrade if even that? I can buy a paint job and a can of new car smell cheap, guys.

    1. Dan 55 Silver badge

      To me, the real issue is that car manufacturers all want to be Apple, lock you into their walled garden

      I'd say the car manufacturers got there first with walled gardens and if Apple did look around for inspiration instead of getting there on their own they would have copied it from them.

  13. jake Silver badge

    WAIT! Hang on, back up a second ...

    This statement:

    "The EV version of the app allows ‘leccycar drivers to see time to full charge, driving range, time to flat battery and other useful car-related information."

    You mean you have to login to a REMOTE computer to use DASHBOARD GAUGES? What the fuck are these idiots thinking? What purpose does this serve? Why would anybody in their right mind buy into such a system? The mind absolutely boggles!

    1. Timmy B Silver badge

      Re: WAIT! Hang on, back up a second ...

      "You mean you have to login to a REMOTE computer to use DASHBOARD GAUGES?"

      erm - no. All of this information is available on dash gauges. But it is useful to have some of it available to the app. For example if you are at a service station and the car is charging - you are having a coffee and check from inside to see the state of play, or you're shopping for the day and you want to check the progress of charging, or plugged in at home and want to check. There is a whole load of information that's available without being in the car or turning the car on.

      You're totally missing the point.

      Let me put it in non-EV terms. You're going on a journey - perhaps to an appointment at a set time - and the fuel station is in the opposite direction to the appointment. You can't remember how much fuel is in the car. You can simply check on the app to know if you have to leave earlier to be at the appointment on time. All makes total sense to me.

      1. jake Silver badge

        Re: WAIT! Hang on, back up a second ...

        "You're totally missing the point."

        Am I? You are the one who thinks it's OK to have to login to a remote system to view the data of the car in your driveway. Doesn't it seem a trifle odd that your car uploads all that telemetry to a system halfway around the world, just so you can see it in an "ap"? Exactly what data do they collect? How long do they store it? What else happens to that data? Who has access to it? Is it secure? How do you know?

        As a side note, I don't need an "ap" to tell me what kind of range I have left on my vehicle's existing fuel. Most of us figure that one out all by ourselves as teenagers with little-to-no income. Most of us aren't interested in a return to that teenager range anxiety, either.

        1. Timmy B Silver badge

          Re: WAIT! Hang on, back up a second ...

          I don't "have to login". I can walk to the car and get the information. It's just simpler not to. I also don't give two hoots who knows how much electricity I use, how much I have left, how far I can drive on it or if I have the aircon on. If I was to worry about that then goodness only knows what else I could find to worry about. I'd certainly not go anywhere near the internet.

          For someone keen on "giving up teenager range anxiety" you're very keen on keeping hold of teenage conspiracy silliness. I have an EV because it drives better than any other car I've ever driven, is more comfortable than any other and is cheaper by far than any other. But it did cost more than anything I could afford as a teenager for sure!

        2. Oneman2Many

          Re: WAIT! Hang on, back up a second ...

          As has already been mentioned, you don't have to login into a remote system to the data. You can get the same information in the car if you don't want the convenience of having the information remotely. As you seem to have a problem of having the extra convenience the car will work just fine if you switch the option off.

          And why is it odd to upload the data to a central location for the app to access it ? How else do you propose the app can read the data from the car ?

    2. Moog42

      Re: WAIT! Hang on, back up a second ...

      Nope. It has many many gauges.

      The best function of the app is this - wake up, open curtains, see car is frosted over, ask app to defrost car, get ready for work, drive in a warm car. Works for the aircon too, and the heated seats/steering wheel. Anything else, meh.

      1. jake Silver badge

        Re: WAIT! Hang on, back up a second ...

        "see car is frosted over, ask app to defrost car, get ready for work, drive in a warm car. Works for the aircon too, and the heated seats/steering wheel."

        What does that do to your range? How does it affect battery longevity?

        1. Simon Robinson

          Re: WAIT! Hang on, back up a second ...

          "What does that do to your range? How does it affect battery longevity?"

          If the car is still plugged in to charge, there is no use of the car battery to pre-heat/cool, so you get a car at the required temperature without losing range.

          1. Is It Me
            Flame

            Re: WAIT! Hang on, back up a second ...

            I think this is the bit that could have been better explained by people further up the thread, that you can heat or cool the car while it is still plugged in.

        2. imanidiot Silver badge

          Re: WAIT! Hang on, back up a second ...

          (AFAIK, I don't own an EV) If it's still connected to the charger and the electronics is actually well designed, probably nothing and no.

          1. Mattjimf

            Re: WAIT! Hang on, back up a second ...

            If plugged in you can pre-heat/cool the car for up to 3 hours, it works best with the 6.6Kw connection as that doesn't use any of the battery, the 3.3Kw versions (only on the 24 and 30KWh versions) use a small amount of the battery power to pre-heat/cool (usually 1-3%). Unplugged you can pre-heat/cool the car for 15 minutes again this only uses 1-3% of battery power.

        3. commonsense

          Re: WAIT! Hang on, back up a second ...

          "What does that do to your range? How does it affect battery longevity?"

          I hired an eGolf with Zipcar recently. 160 miles left according to the computer. Turn the heating on, dropped almost instantly to 106 miles. So probably 30%, give or tak.

          1. Timmy B Silver badge

            Re: WAIT! Hang on, back up a second ...

            "I hired an eGolf with Zipcar recently. 160 miles left according to the computer. Turn the heating on, dropped almost instantly to 106 miles. So probably 30%, give or tak."

            That's terrible. We lose less than half that in our leaf. But I suppose it depends on the weather - if it was very cold it may be different. In the UK we tend toward wet and chilly rather than properly cold and I don't really like temps above 18C anyway.

    3. spold Bronze badge

      Re: WAIT! Hang on, back up a second ...

      A limited set of dashboard gauges is available with the free version, if you want the full set of the ones referred to these are available with the paid version.

      Indicate left, apply the handbrake, and toot the horn (simultaneously) to reBOOT and apply the upgrades.

      If you haven't reset your password then I'm afraid you are going nowhere.

      Don't worry if you breakdown we know where you are and we are coming to get you. Our privacy policy is clearly displayed on the inside of the petrol tank.

    4. Anonymous Coward
      Anonymous Coward

      Re: WAIT! Hang on, back up a second ...

      @Jake - Your mind absolutely boggles! TFTFY

      You may be surprised to know that not everyone on planet earth thinks the same way as you.

      Neither does the world revolve around you.

      People are entitled to their own opinions - whether they chime with yours or not is irrelevant. But thanks for letting us know how you feel - we'll sleep easier tonight.

      1. jake Silver badge

        Re: WAIT! Hang on, back up a second ...

        Touched a nerve, did I? Might want to ask yourself why, instead of attempting to rail in my general direction.

        1. Anonymous Coward
          Anonymous Coward

          Re: WAIT! Hang on, back up a second ...

          No, but I took your advice though. Thanks for asking.

          The answer is that I, and one or two other people, get annoyed by those who think their opinion is more valid than everyone else's.

  14. Tashritu

    The BMW App is crap too. Not reliable, very slow sometimes and you have to keep it open until confirmation of a command comes back. Also it uses “CLIMATISE” as the command to heat or cool!

  15. Jeffrey Nonken Silver badge

    Hanlon's Razor it is, then.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019