This gladhands the idiocy at play here–there was no auth in the connect strings to enable this at all. NONE. Uniqueness in the request was only done by sending the VIN (in plaintext, mind you, that’s how the hack was found). The VIN, which, by law, must be visible through the windshield. So, you snoop your network for the GET command when fiddling with your own Leaf (or a friend’s), see the command structure, change the VIN and Bob’s your uncle. Fucking idiotic.
This isn’t an Internet of Things concern, this is a piss poor understanding or interest in even the most rudimentary concerns about IT security. This is “password123” level nonsense.
