This is a case study in why the misuse of identifiers can be a dangerous thing. Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs.

Thankfully Nissan removed the app because someone could access a set of controls in the Leaf because the NissanConnect app only required the vehicle identification number (VIN) for access, which meant access was not restricted to a car’s owner, rather anyone that could guess a VIN (or read it off of a Leaf dashboard). Luckily the app allowed access to a limited set of controls outside of when the car was running.

Ross

On Fri, Feb 26, 2016 at 7:50 AM, <Ingo.Friese@telekom.de> wrote:

Hello,
I hope you are all doing well. I’d like to remind you that our next IDoT-call is coming up today.
I’m looking forward to talking to you!
Best regards
Ingo
Date and Time
Friday, January 26th, at 7am PT (time chart)
Voice: Skype: +99051000000481 or US +1-805-309-2350 / Alternate Toll +1 (714) 551-9842 (international dial-in lines), room code 613-2898#
(Turbobridge call options)

_______________________________________________
DG-IDoT mailing list
DG-IDoT@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idot

Ross Foard
(703) 728-1543 (cell)
rfoard@gmail.com