A “misconfiguration” in Volkswagen’s automotive software subsidiary, Cariad, has led to a significant data breach, exposing the location data of approximately 800,000 electric vehicles across its brands, including VW, Audi, Skoda, and Seat.
This revelation comes from a report by German news magazine Spiegel, which details how the Chaos Computer Club (CCC), Europe’s largest ethical hacker organization, discovered and reported the vulnerability to Cariad on November 26th.
The CCC, acting on a tip from a whistleblower, found that the exposed data included precise location information for some vehicles, raising serious privacy concerns. As Spiegel notes, this data “could potentially be linked to the names and contact details of drivers,” enabling the creation of detailed movement profiles.
Cariad acknowledged the breach, attributing it to a “misconfiguration” – essentially, a preventable error in the system’s setup. A Cariad representative informed that the exposed data affected only internet-connected vehicles registered for online services.
Spiegel reports: “In the case of VW models and Seats, this geodata was accurate to within ten centimeters, and for Audis and Skodas to within ten kilometers and was, therefore, less problematic.”
The breach affected vehicles primarily in Europe, with the majority in Germany (300,000), followed by Norway (80,000), and Sweden (68,000).
The CCC’s investigation uncovered a concerning level of detail:
- Sensitive locations: Over 30 vehicles belonged to Hamburg police patrol cars, with others linked to suspected intelligence service employees.
- Public figure tracking: Spiegel’s team, using freely available software, identified location data for two German politicians, highlighting the potential for misuse.
- Cloud storage vulnerability: The hackers discovered access keys to a Cariad cloud storage instance on Amazon, where customer vehicle data was stored, within a memory dump from an internal Cariad application.
While Cariad maintains that accessing the data required bypassing multiple security mechanisms and that individual vehicle data was pseudonymized, the CCC’s findings demonstrate the potential for exploitation. This incident underscores the growing cybersecurity challenges facing the automotive industry as vehicles become increasingly connected and data-driven.
Related Posts:
- Researchers: Volkswagen and Audi are vulnerable to remote attacks
- LINE Data Breach Expands: Investigation Uncovers More Compromised Data
- Fuji Electric Indonesia Suffers Ransomware Attack: Business Partner Data Potentially Leaked
- Proposed US Ban on Chinese Tech Impacts Autonomous Vehicles
- Schneider Electric Warns of Multiple Vulnerabilities in Modicon Controllers