ars technica has the article Nissan’s connected car app offline after shocking vulnerability revealed.
When a Leaf owner connects to their car via a smartphone, the only information that Nissan’s APIs use to target the car is its VIN—the requests are all anonymous. Those are the findings of Troy Hunt and Scott Helme, who published their findings on Wednesday. Thursday, Nissan took the service offline.
As a retired software engineer with 40 years experience, and now as a blogger, I know that the art of providing computer security is more complicated than what I can manage, so I depend on experts in the field of computer security to do the work for me. I wish that more large companies had software engineers working for them that had an inkling of how unqualified they are to design security into the systems they deploy. They need to seek out the experts in the field to advise them on security matters.
Such amateur behavior on the part of these software designers gives professional software engineers a bad name. More importantly, this amateur behavior erodes confidence in computer systems of the consumer public. Amateurish behavior of software engineers almost sank President Obama’s health care initiative.
I have not supported the idea that engineers working for a large corporation should all have professional engineer credentials to ply their trade, but these sorts of incidents leave me wondering. I guess I can have these thoughts now that I am safely retired and won’t have to get professional engineer accreditation.