iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
German car manufacturing giant Volkswagen has unintentionally exposed the data of 800,000 owners of its electric vehicles.
As discovered by a German ethical hacking group, the Chaos Computer Club (CCC), vehicle owner data stored on the Amazon Cloud was left exposed to the public for months thanks to a misconfiguration in the car company’s software subsidiary, Cariad.
The data included names and precise vehicle locations, which would allow one with the technical knowledge to track a driver’s movements.
The data affected Volkswagen, Audi, Skoda and Seat vehicle owners. According to reports, the cloud database contained terabytes of data, and the geolocation data was as exact as within a few centimetres.
According to reports, 460,000 of the almost 800,000 vehicles affected had their geolocation data exposed.
Of the affected vehicles, 300,000 were based in Germany, followed by Norway with 80,000, Sweden with 68,000, Belgium also with 68,000, the UK with 63,000, the Netherlands with 61,000, France with 53,000, and Denmark with 35,000.
The CCC, which discovered the vulnerability thanks to a whistleblower, notified Cariad of the issue on 26 November.
Speaking with BleepingComputer, a spokesperson for Cariad said only vehicles that were internet-connected and had registered for online services were affected and that hackers would need to require a number of data sets as it was pseudonymised.
The company added that the CCC could only access the exposed data after passing a number of security measures, which require serious technical knowledge and time to breach.
However, a team of journalists and IT experts put together by German publication Spiegel was able to use free software to identify the location data of cars belonging to a pair of German politicians, Markus Grübel and Nadja Weippert.
“In the case of VW models and Seats, this geodata was accurate to within 10 centimetres, and for Audis and Skodas to within 10 kilometres and was, therefore, less problematic,” said Spiegel.
Cariad told BleepingComputer that it responded to the incident quickly and released a fix, a claim that the CCC confirmed.
Cariad also said that its investigation suggests that beyond the CCC ethical hackers, nobody had accessed the vehicle data and that no misuse had occurred.
Be the first to hear the latest developments in the cyber industry.
