This is a case study in why the misuse of identifiers can be a dangerous
thing. Controlling vehicle features of Nissan LEAFs across the globe via
vulnerable APIs.
http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
Thankfully Nissan removed the app because someone could access a set of
controls in the Leaf because the NissanConnect app only required the vehicle
identification number
https://en.wikipedia.org/wiki/Vehicle_identification_number (VIN) for
access, which meant access was not restricted to a car’s owner, rather
anyone that could guess a VIN (or read it off of a Leaf dashboard). Luckily
the app allowed access to a limited set of controls outside of when the car
was running.
Ross
On Fri, Feb 26, 2016 at 7:50 AM,
Hello,
I hope you are all doing well. I’d like to remind you that our next IDoT-call is coming up today.
I’m looking forward to talking to you!
Best regards
Ingo
*Date and Time*
- Friday, January 26th, at 7am PT (time chart) http://www.timeanddate.com/worldclock/fixedtime.html?msg=IDoT+Conf+Call&iso=20160226T07&p1=224&ah=1&am=00 - Voice: Skype: +99051000000481 or US +1-805-309-2350 / Alternate Toll +1 (714) 551-9842 (international dial-in lines http://kantarainitiative.org/confluence/x/KYC_/), room code 613-2898# - (Turbobridge call options https://www.turbobridge.com/join.html)
_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot
-- Ross Foard (703) 728-1543 (cell) rfoard@gmail.com