Nissan LEAF cars leak speed, position, destination to RSS feeds
Source: Nissan A developer has found that the in-car electronics on the Nissan LEAF all-electric car leaks telemetry information to RSS feeds. The in-car electronics, CARWINGS, allows drivers to access their own selected RSS feeds which are then read to them.
But when Casey Halverson added his own feeds to the system, he found that his Apache server logs held more than just a request for the RSS data. The GET request for the RSS feed also included his latitude, longtitude, speed, direction, and destination latitude and longtitude.
"All of these lovely values are being provided to any third party RSS provider you configure" writes Halverson; there are no warnings that this information is being sent and it is not possible to disable it. The information is only provided when the RSS feed is requested, so it cannot be used as a vehicle tracker but it does offer real-time snapshots. The IP address shown for the request appears to belong to Hitachi Automotive Systems in Japan, which may indicate that the RSS request is being proxied by a Nissan data center; whether this will make the problem easier to fix is unclear.
Halverson has created a demonstration RSS feed for LEAF drivers which will read back the details that are being leaked. He has also created a "less evil" RSS feed which will give weather information for the car's current location. The issue is a good demonstration of the next generation of privacy problems.