Car Nissan Leaf gives its coordinates to any RSS-provider
It seems that in the future we will have to install a firewall not only on every personal computer, but also on a private car. At least, the approach to information security, which car makers are now demonstrating, is not at all pleasing.
For example, see how the Carwings information system works in Nissan Leaf. First, the car maintains a permanent internet connection. Secondly, the built-in reader for RSS feeds connects to the Carwings web service, which provides the coordinates of your car to a third-party RSS data provider. This is done so that you can receive personalized RSS-services like the weather forecast in the region where you are.
But the interesting thing is that when you subscribe to any channel (for example, CNN news), your exact coordinates are sent to the data provider for some reason.
One of the lucky owners of the car Nissan Leaf has adjusted the export of RSS on its own server, just to learn the mechanism of how the coordinates are transmitted. In the Apache logs, he found such requests (specific coordinates erased):
')
As you can see, right in the HTTP GET parameters, the request contains the current coordinates of the vehicle (lat and lon), the current speed (speed), the direction of travel (car_dir) and the coordinates of the destination from the car’s navigation system (lat_dst and lon_dst).
It is clear that the car manufacturer wants to constantly monitor this information (at least, they are unlikely to ever refuse such an opportunity), plus they can share this data with law enforcement agencies upon request, but why give it to everyone in a row? Very sensitive information is given to a third-party RSS-provider, and in fact it can be absolutely any site on the Internet.
How does the "data leak" from the car, shown in the video below.
In other words, on this Nissan Leaf, it would be good to put a regular firewall that would block sending coordinates via the Internet. But now it cannot be done: there are no such firewalls, and it is impossible to disable the full-time transfer of coordinates from the Nissan Leaf. Flashing firmware is illegal and may result in loss of warranty for the car. The question is, are automakers aware of the problem or are completely different standards for protecting information, not the same as in the computer industry?
For example, see how the Carwings information system works in Nissan Leaf. First, the car maintains a permanent internet connection. Secondly, the built-in reader for RSS feeds connects to the Carwings web service, which provides the coordinates of your car to a third-party RSS data provider. This is done so that you can receive personalized RSS-services like the weather forecast in the region where you are.
But the interesting thing is that when you subscribe to any channel (for example, CNN news), your exact coordinates are sent to the data provider for some reason.
One of the lucky owners of the car Nissan Leaf has adjusted the export of RSS on its own server, just to learn the mechanism of how the coordinates are transmitted. In the Apache logs, he found such requests (specific coordinates erased):
')
61.202.253.100 - - [12/Jun/2011:16:19:39 -0600] “GET /rss.php?lat=47.xxxxxxxxxxxxx &lon=-122.yyyyy&lat_dst=47.xxxxxxxxxxxxx &lon_dst=-122.yyyyyyyyyyyy &lat_1=&lon_1=&lat_2=&lon_2=&lat_3=& lon_3=&lat_4=&lon_4=&lat_5=&lon_5=&car_dir=212&speed=0 &language_navi=use &navi_set_t_zone=-8.00&navi_set_dst_d=mile&navi_set_tmp_d=F &navi_set_e_mlg_d=mile/kwh &navi_set_spd_d=mile/h& HTTP/1.1″ 200 641 “-” “Mozilla/5.0 (compatible; NISSAN CARWINGS; http://lab.nissan-carwings.com/CWC/)” As you can see, right in the HTTP GET parameters, the request contains the current coordinates of the vehicle (lat and lon), the current speed (speed), the direction of travel (car_dir) and the coordinates of the destination from the car’s navigation system (lat_dst and lon_dst).
It is clear that the car manufacturer wants to constantly monitor this information (at least, they are unlikely to ever refuse such an opportunity), plus they can share this data with law enforcement agencies upon request, but why give it to everyone in a row? Very sensitive information is given to a third-party RSS-provider, and in fact it can be absolutely any site on the Internet.
How does the "data leak" from the car, shown in the video below.
In other words, on this Nissan Leaf, it would be good to put a regular firewall that would block sending coordinates via the Internet. But now it cannot be done: there are no such firewalls, and it is impossible to disable the full-time transfer of coordinates from the Nissan Leaf. Flashing firmware is illegal and may result in loss of warranty for the car. The question is, are automakers aware of the problem or are completely different standards for protecting information, not the same as in the computer industry?
Source: https://habr.com/ru/post/121229/
All Articles