Nissan LEAF CARWINGS tells any RSS feed provider your current position, speed, direction, destination, etc.

The Nissan LEAF all-electric car is full of technological firsts. One of which is a GSM cellular connection to the internet for providing voluntary telemetry information to Nissan, new charging stations, competitive driver rankings, and even RSS feeds. This is called Nissan CARWINGS.

However, before you start plugging in your favorite RSS feed sources, there is something you need to be aware of.

After creating some of my own third party RSS feeds, I noticed something very peculiar in the HTTP GET in my apache logs (note that I blanked out the exact position of the car in my drive way with x and y):

61.202.253.100 - - [12/Jun/2011:16:19:39 -0600] “GET /rss.php?lat=47.xxxxxxxxxxxxx
&lon=-122.yyyyy&lat_dst=47.xxxxxxxxxxxxx
&lon_dst=-122.yyyyyyyyyyyy
&lat_1=&lon_1=&lat_2=&lon_2=&lat_3=&
lon_3=&lat_4=&lon_4=&lat_5=&lon_5=&car_dir=212&speed=0
&language_navi=use
&navi_set_t_zone=-8.00&navi_set_dst_d=mile&navi_set_tmp_d=F
&navi_set_e_mlg_d=mile/kwh
&navi_set_spd_d=mile/h& HTTP/1.1″ 200 641 “-” “Mozilla/5.0 (compatible;
NISSAN CARWINGS; http://lab.nissan-carwings.com/CWC/)”

Looking at the GET string above, “lat” and “lon” variables contain the current position of the vehicle, “speed” is the vehicle speed, “car_dir” is the direction of the car, and “lat_dst” and “lon_dst” is your destination configured in your navigation system. I am not sure with that other lat/lon positions are, but perhaps they might be related to waypoints on a multi-stop itinerary.

All of these lovely values are being provided to any third party RSS provider you configure: CNN, Fox News, Weather Channel, it doesn’t matter! While a lot of these providers are probably not aware of these (rather valuable) parameters the car passes, they probably sit in thousands of HTTP logs already, waiting to be parsed out — or perhaps supported in the future.

There is no way to prevent this data from being sent, nor does Nissan or CARWINGS warn you that all of your location data can be flung off to random third parties. Simply put in any RSS url, and CARWINGS will add a question mark with all of the location data. Note that the RSS feeds are only loaded at the instant you request them, so while it cannot be used as a persistent vehicle tracker, it can provide real-time data at that moment where you are located.

I have created a proof of concept for those who want to see it all in action. Here is an RSS feed you can plug into the Nissan LEAF CARWINGS website:

http://nwrs.net/carwings.php

Please note that your location information will be kept private, I am not making use of this data for any purpose.

UPDATE: Here is another interesting application of the “flaw”, a location based RSS weather feed complete with weather icons:

(I had to remove this link as the geocoding provider has cut me off for heavy traffic..ugh)

Quick demonstration of what the Car Spy RSS feed will do:

Full explanation and demonstration video:

The entire “flaw” is not entirely evil, here is a location based weather feed that I came up with tonight, complete with weather icons:

Update June 13 3:23 PM PDT: While nobody bothered to inform the customers, Nissan does document this functionality in this obscure Japanese developer document: http://lab.nissan-carwings.com/CWL/Spec.cgi [Google Translated].

Update June 14 10:45 PM PDT: There have been a couple of questions regarding the contents of the headers, and if there is any identifying information that CARWINGS could be providing. From what you can see here, it is not:

TE: deflate,gzip;q=0.3
Connection: TE, close
Host: nwrs.net
User-Agent: Mozilla/5.0 (compatible; NISSAN CARWINGS; http://lab.nissan-carwings.com/CWC/)

Also, CARWINGS does not accept cookies.

Thus, besides some very exotic trending, it would be difficult to identify anybody making the request. It would be much easier for advertisers/content providers/etc to track and identify your iPhone/Android phone instead.

UPDATE 6/15/2011 5:00 pm it appears that CARWINGS is no longer providing any location information on requests.

32 Responses to “Nissan LEAF CARWINGS tells any RSS feed provider your current position, speed, direction, destination, etc.”

  1. maht says:

    > There is no way to prevent this data from being sent

  2. someone says:

    Is there any information that allow to identify a particular car? That is, can the position and speed info be associated to your car?

  3. Mike Donovan says:

    What happens if you add a trailing “?” or “#” or “”?

  4. Who is paying for the internet connection?
    Are you online all the time?

    If it is your companies car, it wouldn’t be too hard to make the RSS feed reload every x minutes. And voila, your company would always know where you are…
    Big brother is watching you :)

  5. Chris Espinosa says:

    As a LEAF driver I’m annoyed by the initial dialog that CARWINGS presents every time you start the car (see http://www.mynissanleaf.com/viewtopic.php?f=30&t=2738 ) forcing you to accept or decline the car’s sending telemetry information back to Nissan. Does declining this stop the RSS reader from sending the lat/long?

  6. admin says:

    @someone there is no GUID in the GET, however, I have not looked at the HTTP headers to determine if there would be any identifying information there. Also, no idea if the client supports cookies.

    @Mike Donovan good question, i’ll give it a try and see.

    @George Ruinelli This is the beauty of M2M telematics. Its always connected, and the consumer is usually insulated from the cellular carrier contract. 3 years of CARWINGS comes with the car, and after that, you would probably pay Nissan on a monthly basis for their CARWINGS solution. To clarify, the location information is only sent IF the user clicks on the RSS feed. So unless someone is really addicted to their employer’s internal news feed, I doubt they could really track someone.

  7. admin says:

    @Chris Espinosa Perhaps someone can try this and report back. I’ve already read how declining to send the information for the study gets it stuck in some “never send data again” mode … i am not interested in finding out.

  8. DaveK says:

    So, what happens if I can socially engineer my LEAF-owning friends into clicking on a link to http://nwrs.net/carwings.php?lat=%3Cscript%3Ealert(%22Xss!%20lol%22);%3C/script%3E
    by telling them about this terrible privacy problem they’d better read about? ;-)

  9. Wing Wong says:

    Here’s a thought:

    Setup your own web server/proxy, which specifically filters out the long/lat/speed/direction information, before passing the information on to the remote RSS or other site.

    So, let’s say you want to access:

    http://realsite.com/rss.php

    You would point your CARWINGS rss browser to:

    http://myproxy.com/proxy/realsite.com/rss.php

    Assuming you’ve setup myproxy.com/proxy to intelligently handle transparently proxying your requests back and forth, ala Squid or Apache proxy rules. Should be interesting. :)

    Would also setup a status page that you can access with your phone’s browser, or perhaps an app, which will monitor what variables are being forwarded on, and flag them for filtering or unfiltering from your phone.

    Just saying, it would not be rocket science to “fix” this. However, this is just what one is aware of. I wonder if it sends back automated regular heartbeats back to CARWINGS outside of RSS reading? :)

  10. [...] to a Seattle, WA blogger, RSS feed subscriptions to websites provide your current position, speed, direction and [...]

  11. kfcws says:

    That’s some scary stats…..

    You prefer distance set to miles the same as your speed.
    Temp set to Farenheit.
    Your clock is set to -8 gmt… which I think is PDT.

    oh and your sat nav is set to USEnglish :D

  12. admin says:

    @kfcws You are onto me!!!! *hides*

  13. Mike M says:

    Declining doesn’t keep you from ever sending data again. I do it all the time.

    Also, in order to access the RSS feed menu, you have to hit the carwings button. If you didn’t agree when it asked you the first time, it will ask you again and you cannot enter the carwings menu until you agree.

  14. [...] largely depend on how Nissan explains to the general customer why they share this information.Via SeattleWireless GA_googleFillSlot(”336×280_above_post”); After Reading This Post Other People Went on to Read: [...]

  15. [...] (1er lapsus) découverte faite par ce bloggeur qui a eu la surprise de voir dans ses logs Apache des requêtes HTTP avec de drôles de [...]

  16. [...] + de détails techniques ici. [...]

  17. Ed Borden says:

    It would be neat to send this data to a web service like Pachube.com (disclosure: I work there). Then you could actually make use of the data. Some people actually buy hardware to track their vehicles and pay money for services like that — why not turn this around and (assuming the privacy issues can be worked out) benefit from it. After all — it’s your data, right?

    What would be neat is a social application that Leaf owners could participate in, comparing usage, mileage, efficiency, etc. You could extrapolate a lot of that from this data stream, I’d guess. You can build all of this on top of Pachube, and if anyone is interested in doing so, please drop me a line, I’d love to support it! edborden@pachube.com

  18. Mike Suding says:

    I have a Nissan Leaf and I am concerned about this “flaw”. Today 6/14/11 I called into the Nissan customer help line 1-877-NO-GAS-EV. I spoke with Shawn (they don’t give last names - rightly so) and he gave me a case number 16882 after escalating to his supervisor. Even though this only gives info if you use RSS (I don’t) I think it is giving a bad first impression to all the possible Nissan LEAF customers that are not thorough enough to read the details or technical enough to understand them.
    Have any of you “registered” your complaint with Nissan (carwings) about this? Did anyone get any response. I plan to call Nissan again in a few weeks after they had time to study the problem/concern. Thanks to YOU Casey for finding this “flaw”!

  19. kfcws says:

    I’d really love to get my hands on some server logs with all this data just to do some statistical analysis.

  20. Kirk K. says:

    Funny thing…. I send this article from The Register to a guy that I work with in RTC2 who has a Leaf. He instantly recognizes your name, and tells me you work in RTC1. So through an article in a British tech journal, I find by sheer coincidence the person who found the problem in the article happens to work a hundred yard from where I am sitting. A small world, indeed.

    BTW, you got name recognition in The Register. You are famous! (do not let it go to your head ;) ).

    http://www.theregister.co.uk/2011/06/13/nissan_leaf_privacy_invasion/

  21. Jason says:

    Does the RSS reader respect HTTP redirects (HTTP result code 302)? If so, does it append the same query string to the new, redirected URL? If not, then you could build a simple proxy that would remove the query string and then redirect back to the same PHP feed — that way, anyone on Earth could use your proxy and it wouldn’t really be much of a bandwidth hog on the server side.

  22. tinou says:

    I do mind being tracked, but I suspect the goal of Nissan here is to let the server select feeds items related to the client position (traffic updates ?): Reading them while driving, it’s not like you can spend the time and attention to do that manually, I guess …

    However, I’m not saying they solved it elegantly. :-)

  23. Sheldon says:

    Looking at the request posted in the initial article, I see nothing that identifies *me*. There is something transmitting Nissan Carwings, at location X,Y moving at speed Z.

    I’d like to know what local weather and traffic are. I’d also like to know about stores and gas stations I am approaching. Especially if they have any (electronic) coupons I could use.

  24. admin says:

    @Sheldon

    There is no identifying information (besides your navigation usage) and some great benefits. But the information shared is more than just the usual lat/lon position or general approximated location that people have become accustom to on smartphones. and while you could argue that Nissan has a very broad, loose clause to cover such disclosures, I do not think it was obvious to even technically inclined users until I disclosed this. Yes, while the media picked up my little blog and blew it way beyond what I expected, it is very apparent that there is mixed reaction to highly detailed location information…”anonymous” or not. And your anonymy is directly related to how you have made use of your navigation system. If you selected ‘go home’ once and never again, that is effectively a unique identifier….and while ambiguous…personally identifiable.

  25. [...] Seattle blogger has determined that subscribing to RSS feeds from the LEAF CARWINGS system, the car is [...]

  26. [...]  |  Casey Halverson  | Email this | Comments This entry was posted in Technology & Gadget [...]

  27. [...]  |  Casey Halverson  | Email this | Comments Engadgetbreak cue, car, carwings, engadget, [...]

  28. Is it possible to disconnect this cell phone so that it ceases to tell
    the phone company where the car is? That is the only way to have
    surveillance.

    It is true that a personal cell phone does the same surveillance –
    but I’m not forced to have one. And even if you decide to have one,
    most of them let you take the battery out. Can you have a Leaf without
    having a cell phone?

  29. [...] InfoSec researcher Casey Halverson discovers an unusual tracking “feature” in his Nissan Leaf. Details on his blog. [...]

  30. [...] types of threats. The software developed by the car manufacturers can be buggy (Do you remember the story of the Nissan LEAF?). It’s difficult to protect yourself against this. Patches or updates [...]

  31. Dave Lokensgard says:

    I am a Leaf owner, and have no concerns about this information being sent. It doesn’t identify me, even if someone cared. I know it is being gathered to help design the future of the electric car, and am glad to participate.

    Bear in mind that the million of GM owners who use the service they provide with that “OnStar” button ARE personally identifiable and locatable at all times, and that OnStar is advertised as a feature, not a bug!!

    To me, any concern about this is ridiculous.

  32. Keith says:

    Sooo after a year I’m still ticked off… Of all the RSS features this was the really good one. I’m still disappointed that the FUD this created eliminated the only really useful RSS feature on the vehicle. Since the RSS feed was not traceable and there are more than one potential LEAF cars out there who could possibly care? Apparently a lot of misinformed folks. Try to be better balanced next time and define how this is a security risk?

Leave a Reply