Feeds

Nissan car secretly shares driver data with websites

Location, destination, speed leaked

Internet Security Threat Report 2014

Electric cars manufactured by Nissan surreptitiously leak detailed information about a driver's location, speed and destination to websites accessed through the vehicle's built in RSS reader, a security blogger has found.

The Nissan Leaf is a 100-percent electric car that Nissan introduced seven months ago. Among its many innovations is a GSM cellular connection that lets drivers share a variety of real-time data about the car, including its location, driving history, power consumption, and battery reserves. Carwings, as the service is known, then provides a number of services designed to support “eco-driving,” such as break downs of the vehicle's energy efficiency based on comparisons with other owners.

But according to Seattle-based blogger Casey Halverson, Carwings includes the detailed data in all web requests the Nissan Leaf sends to third-party servers that the driver has subscribed to through RSS, or real simple syndication. Each time the driver accesses a given RSS feed, the car's precise geographic coordinates, speed, and direction are sent in clear text. The data will also include the driver's destination if it's programmed in to the Leaf's navigation system, as well as data available from the car's climate control settings.

“All of these lovely values are being provided to any third party RSS provider you configure: CNN, Fox News, Weather Channel, it doesn't matter!” Halverson wrote here. “While a lot of these providers are probably not aware of these (rather valuable) parameters the car passes, they probably sit in thousands of HTTP logs already, waiting to be parsed out – or perhaps supported in the future.”

There is no way to prevent the data from being sent, and the Carwings service issues no warning that third parties are receiving the data, Halverson added.

The revelation is the latest example of a location-based service with the potential to seriously jeopardize the privacy of its users. Data collected by both Apple's iPhone and Google's Android mobile operating system have created concern among some researchers and privacy advocates. In April, navigation device maker TomTom apologized for supplying driving data collected from customers to police to use in catching speeding motorists.

Halverson told The Reg Carwings asks users for permission to send location-based data to Nissan, but he said there is no warning that the same information also gets shared with all RSS feeds the user has subscribed to.

“The data is inadvertently being leaked out ,” he said. “I don’t think there is any ill intent.”

Third-party websites could use the information to tailor services in real time based on the driver's location, direction and other data. But with that data being secretly shared with third parties each time a driver accesses an RSS subscription, it's easy to imagine Carwings becoming a privacy liability for users whose whereabouts are sensitive, such as those who work with survivors of domestic abuse or those in law enforcement. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
You dirty RAT! Hong Kong protesters infected by iOS, Android spyware
Did China fling remote access Trojan at Occupy Central?
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.