This is a case study in why the misuse of identifiers can be a dangerous thing. Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs.

Thankfully Nissan removed the app because someone could access a set of controls in the Leaf because the NissanConnect app only required the vehicle identification number (VIN) for access, which meant access was not restricted to a car’s owner, rather anyone that could guess a VIN (or read it off of a Leaf dashboard). Luckily the app allowed access to a limited set of controls outside of when the car was running.

Ross

On Fri, Feb 26, 2016 at 7:50 AM, <Ingo.Friese@telekom.de> wrote:

Hello,

I hope you are all doing well. I’d like to remind you that our next IDoT-call is coming up today.

I’m looking forward to talking to you!

Best regards

                Ingo

Date and Time

 


_______________________________________________
DG-IDoT mailing list
DG-IDoT@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idot




--
Ross Foard
(703) 728-1543 (cell)
rfoard@gmail.com