Speak EV - Electric Car Forums banner
121 - 140 of 279 Posts

·
Registered
Joined
·
308 Posts
Great two sodding days of being able to use the app!
I still disagree. Stuff like this shouldn't be made public knowledge.
No matter how long the company has known.
'Safe secure internet '? My sister in law had her card used by some lowlife who used her card details to order a phone!
Or the announcement that you can get a portable card machine to get £30 a go off people's contactless cards by holding it to their wallets?
At the end of the day the more people that know the more that will try it.
If it really is as easy as you say
I wasn't aware of the contactless scam. Ironic don't you think?
 

·
Registered
Joined
·
588 Posts
Discussion Starter · #125 ·
This seems to be gathering a lot of attention so rather than try to respond to many posts in this thread and direct messages, I feel it's easier to just make one post to try and address everything.

Given the extent that this information was already in the public domain (and further instances have since come to light), if anyone had wanted to find this, it was readily available. Nissan had over 4 weeks to respond to the initial disclosure which is enough time to formulate a plan to move forwards. It's also fairly clear why the service has been taken offline while they work on a fix now this is public, rather than when we made the private disclosure in January. Nothing has changed in terms of what is at risk, the only difference now is that people know Nissan are leaving a vulnerable service online and it's become apparent that people have a greater expectation of privacy and security. It's also further proof that this was the right course of action as had we not published, the service would still be online and still be vulnerable. The 30kWh Leaf and the next version of the NissanConnect EV app were also to come with the ability to GPS track the car as detailed in their press release here: Main Media - United Kingdom - Nissan Newsroom This risk has been uncovered and shall now be fixed while the impact was luckily still relatively low. If you'd like to direct your frustrations somewhere, consider the risk you were exposed to and who was responsible for that.

Having read some of the news articles this morning I have confirmed that the service is now indeed offline. There are also other instances where NissanConnect was vulnerable that have also been taken offline, it wasn't just limited to those we covered in the article. Hopefully it won't take Nissan long to work on a fix and when NissanConnect is back online we can move forwards with a safer and more robust solution.
 

·
Registered
Joined
·
229 Posts
This seems to be gathering a lot of attention so rather than try to respond to many posts in this thread and direct messages, I feel it's easier to just make one post to try and address everything.

Given the extent that this information was already in the public domain (and further instances have since come to light), if anyone had wanted to find this, it was readily available. Nissan had over 4 weeks to respond to the initial disclosure which is enough time to formulate a plan to move forwards. It's also fairly clear why the service has been taken offline while they work on a fix now this is public, rather than when we made the private disclosure in January. Nothing has changed in terms of what is at risk, the only difference now is that people know Nissan are leaving a vulnerable service online and it's become apparent that people have a greater expectation of privacy and security. It's also further proof that this was the right course of action as had we not published, the service would still be online and still be vulnerable. The 30kWh Leaf and the next version of the NissanConnect EV app were also to come with the ability to GPS track the car as detailed in their press release here: Main Media - United Kingdom - Nissan Newsroom This risk has been uncovered and shall now be fixed while the impact was luckily still relatively low. If you'd like to direct your frustrations somewhere, consider the risk you were exposed to and who was responsible for that.

Having read some of the news articles this morning I have confirmed that the service is now indeed offline. There are also other instances where NissanConnect was vulnerable that have also been taken offline, it wasn't just limited to those we covered in the article. Hopefully it won't take Nissan long to work on a fix and when NissanConnect is back online we can move forwards with a safer and more robust solution.
Thank you for your work, and your persistence in the face of what sounds like Nissan's inappropriate response.
 

·
Registered
Joined
·
308 Posts
I had a suspicion it would go offline which is why I went out to the car to defrost before the timer I set in bed last night was due to come on. Good job. It didn't come on and the school run is not something you want to be late to!

We need to move on now though. Whether you think it was right or wrong to go public, the fact remains it has been. I was never worried about the security as there is more information available about me in my rubbish bin. In this day and age we can easily be surveiled physically and digitally in a much more sinister way. Feeling secure IMHO is just that. A feeling. Unless you give up contact with the outside world, relinquish your technology and 'fall off the grid' we will never be digitally secure. Even so called secure data is breached as we hear all the time. They found Jason Bourne remember. I for one just hope we get a working, reliable and feature rich product as a result of this because I have found it really useful and kind of cool when it works. I've been using my smart watch Knight Rider style to activate my climate. You can't get cooler than that now can you?
 

·
Awaiting Tesla M3—tired of ancient Nissan software
Joined
·
336 Posts
I was never worried about the security as there is more information available about me in my rubbish bin.
Your rubbish bin isn't connected to the Internet, letting 1000s of script kids sell its content to the lowest bidders. Indeed, your rubbish bin is far more secure than Nissan Connect.
 

·
Registered
Joined
·
308 Posts
Your rubbish bin isn't connected to the Internet, letting 1000s of script kids sell its content to the lowest bidders. Indeed, your rubbish bin is far more secure than Nissan Connect.
The information they could sell that is available from Nissan Connect is worthless. I give it away for free all the time when I use email/social networks/web forums/etc. I'm more worried about my rubbish bin.
 

·
Registered
2020 Kia Soul First Edition
Joined
·
3,291 Posts
Has anyone bothered to raise a call with Nissan to say connect is not working? Feel like I want to raise a complaint. As far as I can see there has been no statement from Nissan again!
Yes.

I had problems yesterday morning, but managed to connect in the afternoon. I rang them and asked what was going on, but the girls said it was my car, which I do not believe for a nanosecond.

Not working again this morning on iOS. Not surprised.

I can't use timers as I never leave home at the same time.
 
  • Like
Reactions: Dave O'Brien

·
Registered
Joined
·
38 Posts
Any (minor) inconvenience caused by not being able to remotely defrost my car is no where near as bad as someone being able to freely turn on my heating and drain my battery preventing me from making it all the way home. The battle to get Nissan to create a reliable and secure platform that is advertised as a key feature of the car has been going on for a very long time and they have repeatedly ignored user issues and failed to implement even to most basic security and QA practices.

@ScottHelme has done exactly the right thing in highlighting the issue and getting Nissan to take action. He and others have put in a lot of work clearing up and improving the mess of a platform Nissan duct taped together and has always worked in the communities best interests.

Looking at the disclosure a simple script could be used to run through every VIN combination leading to every Leaf having the climate control turned on. In my case this could leave me stranded in sub zero conditions.

So thanks @ScottHelme for your work and lets see if we can get Nissan to say how they are going to fix this properly and offer us all the platform we were sold with the car.
 

·
Registered
Joined
·
2,670 Posts
I had problems yesterday morning, but managed to connect in the afternoon. I rang them and asked what was going on, but the girls said it was my car, which I do not believe for a nanosecond.
@NissanGB, can you confirm that this was a mistake or have you actually told your staff to lie about it? Are dealers aware that you are sending people their way with "broken" cars when in fact it's due to this security flaw?
 

·
Registered
Joined
·
77 Posts
Well, at least this confirms that the information about the security blunder was true. I am very puzzled by the terminology used here though, since as I read the story there is nothing wrong with any app in itself, and this is in fact completely independent of any smart-phones; it is just that the actual communication with the car is triggered by sending a http request (a.k.a. opening a Web page) that could alternatively have come from just anybody on the internet, with no token required to prove authenticity. It is as if at an airport, after passing through security (the app) one would pass through a public road before boarding the plane. If this is indeed what it is about, then what Nissan must have done is shutting down the Web server that was processing those http requests (in the airport analogy, cancel boarding altogether). Which of course would have the visible effect of making any app (or website) designed for remote communication with the vehicles inoperative, but that's just because outside communication to Nissan's infrastructure communicating with the cars is no longer possible.

It is ironic that Nissan now effectively shuts down NissanConnect EV after having held back Leaf deliveries for more than a month with as justification of not wanting to expose customers to the frustration of an inoperative NissanConnect system. (But I understand that Nissan really had no choice, there is no doubt that some kid somewhere would soon take up the challenge of turning on the heat in all Leafs all the time.) On the bright side, I think this new problem is entirely understood, they just have to set up a new and authenticated web service, and patch the apps to start using that; I think this can be done fairly rapidly.

By the way, the security fiasco does not seem to be in any way EV related (except that ICE vehicles probably cannot pre-heat), and might be expected to affect other Nissan telematics systems as well; it there any information about that?
 

·
Registered
Joined
·
308 Posts
The car is still communicating with Nissan though as I've just had a charge reminder. Is that side secure or could someone inconvenience us by pretending to be the car and tell Nissan's servers it's somewhere else thus preventing a charge reminder coming through resulting in us not charging the car and getting stranded and been unable to get to the newsagent to buy a lottery ticket on the day our numbers come up causing a rift in our marital relationship which becomes a break up, messy divorce and ending up in financial ruin? Or are we safe?
 

·
Registered
Joined
·
219 Posts
The NissanConnect EV app (formerly called CarWings and is used for the Nissan LEAF and eNV200) is currently unavailable.

This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.

No other critical driving elements of the Nissan LEAF or eNV200 are affected, and our 200,000-plus LEAF and eNV200 drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle.

We apologise for the disappointment caused to our Nissan LEAF and eNV200 customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.
We're looking forward to launching updated versions of our apps very soon. Thanks, ^ML
 
121 - 140 of 279 Posts
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top