Volkswagen’s automotive software company, Cariad, exposed data collected from around 800,000 electric cars. The info could be linked to drivers’ names and reveal precise vehicle locations.
Terabytes of Volkswagen customer details in Amazon cloud storage remained unprotected for months, allowing anyone with little technical knowledge to track drivers’ movement or gather personal information.
The exposed databases include details for VW, Seat, Audi, and Skoda vehicles, with geo-location data for some of them being as precise as a few centimeters.
Precise geo-location data
Access to the car data was possible due to Cariad’s incorrect configuration in two IT applications, a company representative told BleepingComputer.
Cariad was informed on November 26 of the issue by the Chaos Computer Club (CCC), the largest organization of ethical hackers in Europe that for more than 30 years has promoted security, privacy, and free access to information.
According to German publication Spiegel, the CCC found out about the vulnerability from a whistleblower and tested the insecure access before informing Cariad and Volkswagen responsible and providing technical details.
In a statement to BleepingComputer, a Cariad representative said that the exposed data affected only vehicles connected to the internet and had been registered for online services.
From the nearly 800,000 vehicles exposed, the researchers found geo-location data for 460,000 cars, for some of them with an accuracy of ten centimeters.
A little over 30 vehicles were part of Hamburg police’s fleet of patrol cars, while others belonged to suspected intelligence service employees, Spiegel says.
The company said that the CCC hackers could access the data only after bypassing several security mechanisms that required significant time and technical expertise.
Additionally, because individual vehicle data was pseudonymized for privacy purposes, the hackers had to combine different data sets to associate the details with a particular user.
However, Spiegel assembled a team of IT experts and journalists who found location details collected from the cars of two German politicians, Nadja Weippert and Bundestag member Markus Grübel, using freely available software.
The tools searched for exposed Cariad assets that contained files with sensitive information, which led to finding a copy of a memory dump from an internal Cariad application.
Inside the memory dump the hackers discovered access keys to a cloud storage instance on Amazon where Cariad saved data collected from Volkswagen Group customers’ vehicles.
Spiegel reports that some data points referred to the longitude and latitude location of the cars when the electric motor was turned off.
“In the case of VW models and Seats, this geodata was accurate to within ten centimeters, and for Audis and Skodas to within ten kilometers and was, therefore, less problematic” – Spiegel
Most of the affected vehicles, 300,000 of them, were in Germany but the researchers also found details about cars in Norway (80,000), Sweden (68,000), the United Kingdom (63,000), the Netherlands (61,000), France (53,000), Belgium (68,000), and Denmark (35,000).
Quick fix after responsible disclosure
Cariad told BleepingComputer that its security team reacted quickly to fix the problem and closed access the same day the CCC sent them the report.
CCC representatives confirmed for Spiegel that Cariad’s “technical team responded quickly, thoroughly and responsibly” and that the company reacted within hours of receiving the technical details.
Based on the results of its investigation, Cariad has no evidence suggesting that other parties, except the CCC hackers, had access to the exposed vehicle data or that the information had been misused by a third party.
The company also emphasizes that the CCC only had access to data collected from the vehicles and could not access the cars themselves.
Cariad says that customers of the Volkswagen Group brands can agree to use products and services that require the processing of personal data and can deactivate the option at any time.
However, the company notes that the data collected from the vehicles helps it “provide, develop, and improve digital functions” for its customers as well as create additional benefits.
“Without this data, smart, digital and personalized functions could not be provided, optimized or expanded” – Cariad
As an example, the company explains that customers’ charging behavior and habits are anonymized and help optimize future battery generations and charging software.
At the same time, the collected data is stored in the cloud in a way that protects the identity of the customer and their movement with the vehicle.
“The brands in the Volkswagen Group collect, store, transmit and use personal data exclusively within the framework of legal regulations and an existing contractual relationship, legitimate interests or explicit consent from the customer,” Cariad says.
The automotive software company also says that it employs strong data protection practices that include storing data points separately, restrictive access rights, pseudonymization, and anonymization, as well as aggregating and processing data within stated purposes.
