You like using apps, don’t you? You feel tech-savvy and so in touch with the times that you even have an app that tells you how much in touch with the times you are, right? You have an app to manage your other apps. Everything electronic you own is less than a year old and you have an app for it in your even newer Android iOS Windows iMobile Apple Touchpad Mac biometric app tablet phone thingy, huh?
As is to be expected, the car world is not far behind in such matters, so it follows that certain manufacturers have phone-based operating systems for their infotainment screens. That is not news. Some cars, such as the Nissan Leaf, and of late, new Volvos, have several functions in them that can be controlled remotely by an app in one’s phone. That is not news either. The news here is that you can hack into a random Nissan Leaf from anywhere in the world. All you need is an Internet connection, Mozilla Firefox and a code.
Let me explain. The Leaf is an all-electric rechargeable battery plug-in hatchback by Nissan, and the quietest motor vehicle I have ever driven. A man named Troy Hunt, computer security researcher by day and hacker by night, owns a Nissan Leaf. While attending a “developer security conference” (think of it as a hacker’s dinner party), he discovered his car was accessible via the Internet. How? Nissan has an app for it, naturally. After all, this 2016, not 2006.
Hunt, who was in Australia at the time, contacted fellow hacker and fellow Nissan Leaf owner, Scott Helme, who was in the UK, about his discovery. After some furious typing, these two men showed that it was, indeed, possible to access Helme’s UK-bound Leaf from Australia using nothing but a Web browser and the Internet. Hunt was able to access a lot of data from the computer in Helme’s car, such as recent trips, the length of those trips, power usage and charge levels. The cherry on top was that the vehicle was not even on at the time. This is dangerous news, and its relevance to us will soon be apparent.
In the IT world (which I inhabited briefly before venturing into motoring), there is something called a “back door”. This is an illegal or unauthorised access point into any system, be it a private network, the code for a program or for bypassing security. The back door in this case is the app itself that Nissan availed for download to Leaf owners to enable them to access their cars remotely.
Consequently, any Leaf anywhere in the world can be accessed via the Internet, thanks to the app. The original hacker (who will remain anonymous for now) found that by making his computer a proxy between the app and the Internet, the instructions sent by the app to Nissan’s servers could be seen. Visualise it as the mailman opening the love letters you send before delivering them.
In the instruction from the app to the server, there is a part that requests a tag for the VIN (Vehicle Identification Number), which has been censored (naturally) and the host URL has been redacted too. But VINs are not hard to get. They are visible on any car, if you know where to look.
The more worrying thing is, Hunt also discovered that the requests are sent anonymously. In other words, even if Nissan’s computer security experts could “see” you accessing their servers, they have no way of knowing who you are or tracking you down. Perfect cover for those with a maleficent bent.
At the moment, one can only access the car’s data (charge state and driving history) as well as control the air-conditioning and heater, but this in itself is worrisome. The data is a serious breach of privacy (tracking individuals without their knowledge is also called “stalking”) while the HVAC controls could be cranked full on and drain the battery, thus immobilising the car and greatly inconveniencing the owner.
It is unknown what exactly Nissan makes of this whole affair, but as of last weekend, the company had frozen all downloads of the Leaf app until a fix is reached.
What is this all about?
Now, in Kenya we have the National Transport and Safety Authority (NTSA). It recently announced how it was to acquire equipment that would yield a 72-hour driving history on any commercial vehicle that aroused its suspicion. If you have been speeding at any point within the past 72 hours of your being stopped, this gadget was sure to snitch on you. This caught my eye and the first word that came to mind was “hogwash”.
Where is this “history” coming from? Apart from relatively new and highly computerised vehicles such as the Leaf, no car that I know of keeps records of driving tendencies. The best one can hope for is to use the onboard TV/DVD/infotainment screen to get 1) recent GPS searches and 2) “lap times”, as well as average and top speeds attained over a particular period.
This is the thing: these kinds of data points can only be attained in vehicles so-equipped, or through aftermarket installations. Of particular note is the second data point: the only cars known to have factory-installed equipment to log such things are performance maniacs like the Porsche 911 GT3, the Nissan GTR and oddly enough, the outgoing Mercedes-Benz S63 AMG.
How many of these do you see being driven around as PSVs or delivery vans? Besides, in most cases the data-logging rarely exceeds the previous half-hour or so (track times), so a 72-hour log is out of the question.
How exactly is the NTSA going to know exactly how fast a man in a turbocharged MAN was boosting on the bypass on Sunday if they read this on Wednesday?
Standard engine management units record no such things. And if they did, it would have to be programmed into the ECU. This is a whole other issue and is nearly impossible. The only way they would know is if they required commercial vehicle owners to install third-party devices that log such data. And that is where we have a problem.
How many after-market devices am I going to hook up to my electrical system? There is the digital speed governor, the thing that beeps every time the driver hits 80km/h, there is possibly a fleet management system and now I have to add a government-mandated radio tag like an endangered animal?
Why would I install a tracking device on my commercial vehicle if that information is for someone else’s use? There is such a thing as privacy and proprietary information, and I like to keep mine, thank you very much. And before one argues that it is not a tracking device, figure this out: if the data log can specify exactly what speeds you were doing at a particular point, it sure will specify where exactly you were doing that speed and that, in anybody’s eyes, amounts to a tracking device. Big Brother is here and trying to peep through your shower curtain.
The idea makes sense from an operational standpoint, as the owners/operators would like to know how their businesses are being conducted. It might also help the owners trace their vehicles should there be a carjacking or a heist. The original idea behind installing tracking devices was as a security measure (in case of theft), and not as a report card which will be summoned by Big Brother for assessment at his whim.
The traffic department officers responsible for downloading this information would be sure to get the speeds they are looking for, but they will also see where you have been over the past three days. I’m not sure I want them to know that, unless mandated by the court, and with very good reason.
The potential for industrial espionage is very high, which is why a lot of things require a warrant and/or subpoena from a court of law to be accessed. As it is, not many Kenyans trust, or even like, the police that much, but the public believes that the boys in blue can be of “service” if their palms are greased accordingly. What is to stop my business rival from greasing some palms to find out exactly how and where my commercial vehicles have been operating?
The selfsame NTSA was in the limelight for coming down hard on errant PSVs whenever they flouted regulations. One of those regulations requires every long-distance bus to have two drivers. Generally, most companies have more drivers than they do vehicle to allow their drivers to take days off without operations grinding to a halt. That means driver changes are not only common, but also regular. That means that a Sunday driver, knowing full well the likelihood of speed guns on the road is very low, might break a few speeding laws then hand over the vehicle to his colleague, who will then be stopped on Tuesday, have the logs downloaded and be promptly placed under arrest. If this is not unfair, I don’t know what is.
And it will have to be an arrest because, what else happens when one is stopped for a traffic violation? So, the Tuesday driver’s civil rights (against arbitrary arrest) will be violated. He might be forced to reveal the identity of the Sunday driver, information he might know nothing about, especially in companies with large fleets and complicated management systems. Even if the Tuesday driver is not arrested, the vehicle will still have to be impounded, which inconveniences him even further (think, for example, of a Mombasa resident employed as a driver by a truck company and the vehicle is impounded at Burnt Forest in the middle of the night. Where is he supposed to go? How is any of this his fault and why does he have to suffer for another man’s transgressions?). If he is paid by the mile, the precious hours lost tracing his errant workmate will be painful to bear come payday.
The NTSA is notorious as a ruthless enforcer of traffic regulations, some sensible, some not so sensible. This, however, is their own doing; I don’t think any law was passed approving whatever measures they intend to take to acquire those 72-hour histories from commercial vehicles. I am not a legal eagle, but I think for some crimes (such as traffic infractions), it only makes sense to arrest someone when you catch them in the act. If I overtook on a solid yellow line last week and wasn’t caught, let it go. Try and catch me next time I do it, if I do it again.
The biggest question for now is: how, exactly, is the NTSA going to effectively exploit this 72-hour window? Will it hack remotely into susceptible cars a là Hunt and the Nissan Leaf? What criteria will it use to narrow down suspects whose driving histories it is interested in? One cannot stop all commercial vehicles to download their data; this woul create problems that cannot be handled – there are simply too many commercial vehicles on the roads right now. How will they arrest errant drivers if there has been a change of drivers at some point within the preceding 72 hours? Will we hear of “suspects assisting the police in investigations”, meaning innocent drivers placed under duress to rat out their throttle-happy colleagues?
Note: in one of the most socially responsible and remarkable moves by a government agency in recent times, the NTSA director-general yesterday invited the public to provide feedback on the new instant fines regime for traffic offenders.. Since I didn’t attend that caucus, here is my feedback: I think the instant fines system is the knees of the bee. It saves a lot of time; I once wasted a whole day at a police station for a traffic offence (which I will not specify) “waiting” for my turn to pay the fine. That was a good idea to ask for feedback, Mr Director General, Sir; now hold another meeting where we will tell you what we think of your 50km/h speed limit on six-lane dual-carriageways.