A software development subsidiary of VW was storing journey data from hundreds of thousands of electric vehicles in an easily accessible way.
A subsidiary of the Volkswagen Group stored detailed journey data for 800,000 electric vehicles in Amazon’s cloud, in a way that made it easily accessible to the secret service, competitors, criminals or even “bored teenagers,” Der Spiegel reported, citing research in cooperation with the Chaos Computer Club (CCC). The data was discovered by an anonymous source and verified using data provided by members of the Lower Saxony state parliament, the German Bundestag and others.
Data on vehicles from multiple VW brands
The data was collected by Volkswagen subsidiary Cariad, responsible for Volkswagen’s software development. A “configuration error” meant that the data was not adequately protected. According to “Der Spiegel”, this includes several terabytes of location data from Volkswagen, Seat, Audi and Skoda vehicles. The data is collected by a Volkswagen app and can be used to access various information about the vehicle’s condition. The data found from 460,000 vehicles is so accurate that conclusions can be drawn about the lives of those behind the wheel. Geodata for VW and Seat models is accurate to within 10 centimetres.
According to the investigation, some of the data may be linked to the vehicle owner’s personal profile. In some cases, detailed movement data may also be combined with addresses and mobile phone numbers. “A whole bunch of keys were left under a doormat that was too small,” said Linus Newman, a spokesman for the CCC. Cariad explained that the data was collected “to improve batteries and associated software.” The combinations described were not made in such a way that conclusions could be drawn about individual people or to create movement profiles.
Fatal “misconfiguration”
After the CCC was made aware of the accessible data collection, Cariad and the VW Group headquarters were informed, among others. The group subsidiary reacted within a few hours and did not even try to downplay the extent of the incident. The gap has now been closed and unauthorized persons can no longer access the data. According to the report, the “misconfiguration” was a copy of the most recent memory dump of a Cariad application. This contained the access data for the Amazon cloud storage, where the movement data was located.
Spiegel explains that this data could have allowed unauthorized individuals to determine which vehicles regularly park in front of intelligence agencies or US military buildings, and to whom they belong. It could also have been used to find out which cars regularly park in front of brothels, prisons or addiction clinics to launch threats. This data would also have been very useful for stalking. However, according to Cariad, there is currently no evidence that third parties other than the CCC have had access to the data. However, the analysis has not yet been completed.
