But invalid request are clearly identified with a return status indicating an error code. Trip information is stored in the car (several years’ history) and can be retrieved with an unprotected GET command: power consumption, travel distance, drive efficiency, date and time, and mileage. This can give to a remote attacker some information about the frequency, the time and the extent of user’s daily trips. The back end server is not unique but depends on the region where the car was registered: multiple API endpoints controlled by different party means that any needed correction need to apply on different servers with different API. This situation is not ideal for deploying a needed correction as well as in term of cost of this correction. It appears also that the App has the possibility to disable the Telematics unit of the LEAF. Issue was reported to Nissan on January 23th, details were exchanged by email and phone until February 20th but as some forums where aware of the problem Hunt decided to publish an article on his security blog on February 24th even if no correction has been made. On February 25th, Nissan has taken the service
But invalid request are clearly identified with a return status indicating an error code. Trip information is stored in the car (several years’ history) and can be retrieved with an unprotected GET command: power consumption, travel distance, drive efficiency, date and time, and mileage. This can give to a remote attacker some information about the frequency, the time and the extent of user’s daily trips. The back end server is not unique but depends on the region where the car was registered: multiple API endpoints controlled by different party means that any needed correction need to apply on different servers with different API. This situation is not ideal for deploying a needed correction as well as in term of cost of this correction. It appears also that the App has the possibility to disable the Telematics unit of the LEAF. Issue was reported to Nissan on January 23th, details were exchanged by email and phone until February 20th but as some forums where aware of the problem Hunt decided to publish an article on his security blog on February 24th even if no correction has been made. On February 25th, Nissan has taken the service