The Nissan LEAF all-electric car is full of technological firsts. One of which is a GSM cellular connection to the internet for providing voluntary telemetry information to Nissan, new charging stations, competitive driver rankings, and even RSS feeds. This is called Nissan CARWINGS.
However, before you start plugging in your favorite RSS feed sources, there is something you need to be aware of.
After creating some of my own third party RSS feeds, I noticed something very peculiar in the HTTP GET in my apache logs (note that I blanked out the exact position of the car in my drive way with x and y):
22.214.171.124 - - [12/Jun/2011:16:19:39 -0600] “GET /rss.php?lat=47.xxxxxxxxxxxxx
&navi_set_spd_d=mile/h& HTTP/1.1″ 200 641 “-” “Mozilla/5.0 (compatible;
NISSAN CARWINGS; http://lab.nissan-carwings.com/CWC/)”
Looking at the GET string above, “lat” and “lon” variables contain the current position of the vehicle, “speed” is the vehicle speed, “car_dir” is the direction of the car, and “lat_dst” and “lon_dst” is your destination configured in your navigation system. I am not sure with that other lat/lon positions are, but perhaps they might be related to waypoints on a multi-stop itinerary.
All of these lovely values are being provided to any third party RSS provider you configure: CNN, Fox News, Weather Channel, it doesn’t matter! While a lot of these providers are probably not aware of these (rather valuable) parameters the car passes, they probably sit in thousands of HTTP logs already, waiting to be parsed out — or perhaps supported in the future.
There is no way to prevent this data from being sent, nor does Nissan or CARWINGS warn you that all of your location data can be flung off to random third parties. Simply put in any RSS url, and CARWINGS will add a question mark with all of the location data. Note that the RSS feeds are only loaded at the instant you request them, so while it cannot be used as a persistent vehicle tracker, it can provide real-time data at that moment where you are located.
I have created a proof of concept for those who want to see it all in action. Here is an RSS feed you can plug into the Nissan LEAF CARWINGS website:
Please note that your location information will be kept private, I am not making use of this data for any purpose.
UPDATE: Here is another interesting application of the “flaw”, a location based RSS weather feed complete with weather icons:
(I had to remove this link as the geocoding provider has cut me off for heavy traffic..ugh)
Quick demonstration of what the Car Spy RSS feed will do:
Full explanation and demonstration video:
The entire “flaw” is not entirely evil, here is a location based weather feed that I came up with tonight, complete with weather icons:
Update June 13 3:23 PM PDT: While nobody bothered to inform the customers, Nissan does document this functionality in this obscure Japanese developer document: http://lab.nissan-carwings.com/CWL/Spec.cgi [Google Translated].
Update June 14 10:45 PM PDT: There have been a couple of questions regarding the contents of the headers, and if there is any identifying information that CARWINGS could be providing. From what you can see here, it is not:
Connection: TE, close
User-Agent: Mozilla/5.0 (compatible; NISSAN CARWINGS; http://lab.nissan-carwings.com/CWC/)
Also, CARWINGS does not accept cookies.
Thus, besides some very exotic trending, it would be difficult to identify anybody making the request. It would be much easier for advertisers/content providers/etc to track and identify your iPhone/Android phone instead.
UPDATE 6/15/2011 5:00 pm it appears that CARWINGS is no longer providing any location information on requests.