You like using apps, don’t you? You feel tech-savvy and so in touch with the times that you even have an app that tells you how much in touch with the times you are, right? You have an app to manage your other apps. Everything electronic you own is less than a year old and you have an app for it in your even newer Android iOS Windows iMobile Apple Touchpad Mac biometric app tablet phone thingy, huh? As is to be expected, the car world is not far behind in such matters, and it therefore follows that certain manufacturers have phone-based operating systems for their infotainment screens. That is not news. Some cars, such as the Nissan Leaf and of late, new Volvos, can have several functions in them controlled remotely by an app in one’s phone. That is not news either. The news here is that you can hack into a random Nissan Leaf from anywhere in the world, and I do mean anywhere. All you need is an internet connection, Mozilla Firefox and the following piece of code:
GET https://[redacted.com]/orchestration_1111/gdc/BatteryStatusRecordsRequest.php?RegionCode =NE&1g=noNO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/ Paris&TimeFrom=2014-09-27T09:15:21
Let me explain what you are looking at. It’s a bit of a story…
The Leaf is an all-electric rechargeable battery plug-in hatchback by Nissan, and the quietest motor vehicle I have ever driven (this does not include cars that stall while in motion, such as the Peugeot 405 SR that once ran out fuel on me on Outer Ring Road). A man named Troy Hunt, computer security researcher by day and hacker by night, owns a Nissan Leaf. While attending a “developer security conference” (think of it as a hacker’s dinner party, if you will), he discovered his car was accessible via the internet. How? Nissan has an app for it, naturally. This is 2016, after all, not 2006.
Hunt, who was in Australia at the time, contacted fellow hacker and fellow Nissan Leaf owner Scott Helme, who was in the UK about his discovery. After some furious typing which I guess must resemble scenes from The Matrix and Swordfish movies, these two gentlemen showed that it was indeed possible to access Helme’s UK-bound Leaf from the Land Down Under using nothing but a web browser and internet. Hunt was able to access a lot of data from the computer in Helme’s car; data such as recent trips, distances of those trips, power usage, charge levels etc. The cherry on top is that the vehicle was not even on at the time. This is dangerous news, and its relevance to us will soon be apparent, just be patient.
In the IT world (which I inhabited briefly before venturing into motoring), there is something called a “back door”. As the name suggests, this is an illegal or unauthorized access point into any system; be it a private network, the code for a program, bypassing security or whatever. The back door in this case is the app itself that Nissan availed for download to Leaf owners to enable them access their cars remotely.
It may be hard to follow but let me clarify: Nissan’s app does not have a back door (that we know of). Nissan’s app is the back door. Any Leaf anywhere in the world can be accessed via internet because that is exactly what the app does. Think of it as a sort of unwitting Trojan Horse. The original hacker (who stays anonymous for now) found that by making his computer a proxy between the app and the internet, the instructions sent by the app to Nissan’s servers could be seen. Visualize it as the mailman opening those love letters you have been sending before delivering them. That piece of code above is what a typical instruction from the app to the server looks like.
There is a part that requests a tag for the VIN (Vehicle Identification Number), which has been censored (naturally) and the host URL has been redacted too (I’m not going to empower any wannabe cyber-terrorists, not today), but VINs are not hard to get. They are visible on any car, if you know where to look. The more worrying thing is, Hunt also discovered that the requests are sent anonymously, i.e there isn’t any identification data AT ALL for the user who sent that request. In other words, even if Nissan’s computer security experts could “see” you accessing their servers, they have no way of knowing who you are or tracking you down. Perfect cover for those with a maleficent bent.
At the moment, one can only access the car’s data (charge state and driving history) as well as control the air-conditioning and heater, but this in itself is worrisome. The data is a serious breach of privacy (tracking individuals without their knowledge is also called “stalking”) while the HVAC controls could be cranked full on and drain the battery thus immobilizing the car and causing the owner a lot of inconvenience.
It is unknown what exactly Nissan makes of this whole affair, but as of the past weekend, the company had frozen all downloads of the Leaf app until a fix is reached.
What is this all about?
Now, around here we have a clique of much-hated uniformed individuals who, I can say with some confidence, have no friends whatsoever. This is owing to the levels of misery they have imparted on motorists who found themselves on the wrong side of the legal divide by the sheer act of committing one traffic infraction of another. I am talking about the NTSA.
There was an announcement recently about how they were to acquire equipment that would yield a 72-hour driving history on any commercial vehicle that came under their suspicion. If you have been speeding at any point within the past 72 hours of your being stopped, this electronic oracle gifted with hindsight was sure to snitch on you without compunction. Naturally, as a car buff and an ex-IT operator, this caught my eye and the first word that came to mind was “hogwash”.
Where is this “history” coming from? Apart from relatively new and highly computerized vehicles such as the Leaf, no car that I know of keeps records of driving tendencies. The best one can hope for is to use the onboard TV/DVD/infotainment screen to get 1) recent GPS searches and 2) “lap times”, as well as average and top speeds attained over a particular period of time. This is the thing: these kinds of data points can only be attained in vehicles so-equipped or through aftermarket installations. Of particular note is the second data point: the only cars known to have factory-installed equipment to log such things are performance maniacs like the Porsche 911 GT3, the Nissan GTR and oddly enough, the outgoing Mercedes-Benz S63 AMG. How many of these do you see being driven around as PSVs or delivery vans? The data-logging also in most cases rarely exceeds the previous half-hour or so (track times), so a 72-hour log is out of the question. How exactly is the NTSA going to know exactly how fast a man in a turbocharged MAN was boosting in the bypass on Sunday if they read this on Wednesday?
Standard engine management units record no such things. And if they did, it would have to be programmed into the ECU. This is a whole other issue and is nearly impossible. The only way they’d know is if they required commercial vehicle owners to install third-party devices that log such data. And that, readers, is where we have a problem.
How many aftermarket devices am I going to hook up to my electrical system? There is the digital speed governor, there is the beeping thingy that keeps passengers awake every time the driver hits 80km/h, there is possibly the fleet management system and now I have to add a government-mandated radio tag like an endangered animal? Why would I install a tracking device on my commercial vehicle if that information is for someone else’s use? There is such a thing as privacy and proprietary information, and I like to keep mine, thank you very much. And before one argues that it is not a tracking device, figure this out: if the data log can specify exactly what speeds you were doing at a particular point in time, it sure as hell will specify where exactly you were doing that speed and that, in anybody’s eye, amounts to a tracking device. Big Brother is here and he is trying to peep through your shower curtain.
The idea makes sense from an operational standpoint, as the owners/operators would like to know how they’re businesses are being conducted. It may also help the owners trace their vehicles should there be a carjacking incident or a heist. The original idea behind installing tracking devices was fitment as a security measure (in case of theft), and not as a report card which will be summoned by Big Brother for assessment at his own whim. The traffic department officers responsible for downloading this information would be sure to get the speeds they are looking for, but they will also see where you have been over the past three days. I’m not sure I want them to know that, unless mandated by the court; and with very good reason. The potential for industrial espionage is very high, which is why a lot of things require a warrant and/or subpoena from a court of law to be accessed. As it is, not many Kenyans trust or even like the police that much (as was proven by a recent viral video involving an Australian pilot and a Kenyan policewoman); and the public holds the view that the boys in blue can be of “service” if their palms are greased accordingly. What is to stop my business rival from greasing some palms to find out exactly how and where my commercial vehicles have been operating?
The self-same NTSA were in the limelight for coming down hard on errant PSVs whenever regulations were flouted. One of those regulations requires every long distance bus to have two drivers. Generally, most companies have more drivers than they do vehicles, to allow for their drivers to take days off and rest and/or take care of other aspects of their lives without operations grinding to a halt. That means driver changes are not only common, but also regular. That means that a Sunday driver, knowing full well the likelihood of speed guns on the road is very low, may break a few speeding laws then hand over the vehicle to his colleague who will then be stopped on Tuesday, have the logs downloaded and is promptly placed under arrest. If this is not unfair, I don’t know what is.
And it will have to be an arrest, because what else happens whenever one is stopped for a traffic violation? So, the Tuesday driver’s civil rights (against arbitrary arrest) will be violated. He may be forced to reveal the identity of the Sunday driver; information he may know nothing about especially in companies with large fleets and complicated management systems. Even if the Tuesday driver is not arrested, the vehicle will still have to be impounded, which inconveniences him even further (think, for example, a Mombasa resident employed as a driver by a truck company and the vehicle is impounded at Burnt Forest in the middle of the night. Where is he supposed to go? How is any of this his fault and why does he have to suffer for another man’s transgressions? Is he Jesus?). If he is paid by the mile, the precious hours lost tracing his errant workmate will be painful to bear come payday.
The NTSA is notorious as a ruthless enforcer of traffic regulations; some sensible, some not so sensible. This, however, is their own doing; I don’t think any law was passed approving whatever measures they intend to take to acquire those 72-hour histories from commercial vehicles. I am not a legal eagle, but I think some for some crimes (such as traffic infractions), it only makes sense to be arrested while in the act. If I overtook on a solid yellow line last week and wasn’t caught, let it go. Try and catch me next time I do it, if I do it again. The biggest question for now is: how, exactly, is the NTSA going to effectively exploit this 72-hour window? Will they hack remotely into susceptible cars a la Hunt & the Nissan Leaf? What criteria will they use to narrow down suspects whose driving histories they are interested in? One cannot perform a traffic stop on all commercial vehicles to download their data; it will create problems that cannot be handled – there are simply too many commercial vehicles on the roads right now. How will they conduct arrests of errant drivers IF there has been a driver change at some point within the preceding 72 hours? Will we hear of “suspects assisting the police in investigations”, meaning innocent drivers placed under duress to rat out their throttle-happy colleagues?
Note: in one of the most socially responsible and totally awesome moves by a government agency ever seen in recent times, the transport and safety authority invited the public to provide feedback on the new instant fines regime for traffic offenders. Members of the public were invited by the Director General of the NTSA to a stakeholders meeting at KICC yesterday (1st of March 2016) to give their thoughts on these fines. Since I didn’t attend that caucus, here is my feedback: I think the instant fines system is the knees of the bee. It saves a lot of time; I have once been in a police station for a traffic offence (which I will not specify) and ended up wasting the entire day there doing nothing but “wait” for my turn to pay the fine. That was a good idea to ask for feedback, Mr. Director General, sir; now hold another meeting where we will tell you exactly what we think of your counterproductive 50km/h speed limit on six-lane dual-carriageways.
