Major data leak in Volkswagen electric cars

According to a media report, there has been a significant data leak at VW software subsidiary Cariad. The location information of around 800,000 electric cars from several Volkswagen brands and information on their owners was largely unprotected and accessible on the internet for months.

This was reported by Der Spiegel after a joint investigation with the Chaos Computer Club (CCC), a European hacker group. According to the report, several terabytes of data were „largely unprotected“ and stored in a cloud storage facility belonging to Amazon subsidiary AWS. Precise location data could even be viewed for around 460,000 vehicles, while many other vehicle data could be linked to names and contact details – for example, the driver, owner, or fleet manager.

Following a tip-off from a whistleblower, a Spiegel team was able to identify the vulnerability. Through a few detours and ‘systematic guesswork,’ the team gained access to a copy of the latest memory log of an internal Cariad application. There, the reporters and IT specialists found the access data to the aforementioned cloud storage. The data of the individual vehicles was stored there, including the transmitted battery charge level, inspection status and whether the drive is switched on or off.

When it was switched off, the position of the car and the time were transmitted. With 300,000 vehicles, Germany is the country most affected, followed by Norway (80,000 vehicles), Sweden (68,000), and the UK (63,000), other European countries with a fairly high penetration of electric cars.

As access data for VW’s own service was also stored elsewhere, the information from the vehicle data could be linked to registered users. It enabled Der Spiegel to precisely analyse the movement profiles of two regional politicians (with their permission) and assign vehicle data to other politicians, business leaders or the Hamburg police with its 35 or so electric patrol cars, to name just a few examples. In the case of the VW ID.3 and ID:4, the data was apparently particularly detailed; in some cases, the location was stored to an accuracy of ten centimetres. In contrast, the MEB models from Audi and Seat affected, i.e. the Q4 e-tron and Cupra Born, were only accurate to ten kilometres, which would make a movement profile much less meaningful.

The CCC had sent a corresponding notice and technical details to Cariad in advance, giving the company 30 days to protect the data before publication. Cariad responded „within a few hours,“ the gap has been closed, and the data is no longer accessible. However, instead of a security vulnerability, the company prefers to talk about a „misconfiguration.“ Apart from the CCC, nobody had accessed the systems, and there were „no indications of misuse of data by third parties.“ Cariad collects the data to analyse customers‘ charging behaviour, for example, so that the batteries and software can be improved.

spiegel.de (in German), ccc.de (CCC video for download in German, English and French), theverge.com