A data leak exposed the real-time location of around 800,000 Volkswagen (VW) electric vehicles, impacting owners globally, according to a report by German news magazine Der Spiegel. The exposed data included GPS coordinates and personal information.
Data exposure details and implications
The global incident affected owners of electric vehicles from VW, Audi, Seat, and Skoda. The location data allowed for tracking where vehicles were parked, whether at home, on the street, or at sensitive locations such as brothels. The data was publicly accessible due to an error in a system managed by a VW subsidiary called Cariad, which collects data after a car owner sets up the VW app. This app allows users to preheat the car, monitor battery charge levels, and check the remaining range, creating a detailed profile of daily movements.
Der Spiegel reported that the data remained exposed on Amazon’s cloud storage system for several months, amounting to several terabytes of information. Before the vulnerability was addressed, accessing this data posed little challenge to intelligence services, competitors, criminals, or even casual users with basic skills. The exposed data linked vehicle information to owners’ names, contact details, email addresses, home addresses, and cell phone numbers in some cases.
The error reportedly stemmed from a mistake made last summer in the Cariad system that went unnoticed. The serious breach came to light after a whistleblower alerted both Der Spiegel and the Chaos Computer Club. This exposure could have serious implications, including potential tracking of politicians or targets by foreign intelligence, and blackmailing individuals based on their movements.
Reactions and company response
In response to inquiries from Der Spiegel, Cariad stated it collects pseudonymized data to enhance its batteries and software. The company insisted that customers need not take any action as no sensitive information, such as passwords or payment details, was compromised. They also noted that vehicle owners have the option to deactivate data processing services.
The incident has been described as a significant embarrassment for VW, highlighting ongoing issues with data collection practices among automakers due to advancements in vehicle connectivity. Nadja Weippert, a politician affected by the breach, expressed concern over the unencrypted storage of her vehicle data, stressing the need for VW to reduce data collection and improve protections.
Similar sentiments were echoed by Markus Grübel, another politician affected by the breach, who described the situation as “annoying and embarrassing.” Both Weippert and Grübel noted the risks associated with such data leaks in society, particularly regarding personal safety and privacy. This leak not only concerns individual citizens but also includes data on police vehicles and potentially intelligence personnel, with details accessible that could reveal sensitive information about their whereabouts.
The Chaos Computer Club praised Cariad’s prompt response in addressing the vulnerability after being alerted. The CCC had provided precise details about the security weaknesses, insisting on a swift closure of data access. They noted that accessing the data required the combination of various datasets, exploiting the misconfiguration in the system, which should not have been publicly accessible.
This incident exemplifies the growing concern regarding data privacy in modern vehicular technologies. A 2023 study by the Mozilla Foundation examined data practices across multiple car brands, revealing that many collect excessive data, often more than necessary for product functions. The study noted that 76 percent of car brands assessed had the capacity to resell collected data.
Security issues are not isolated to VW; other automakers have faced significant breaches as well. In January 2023, hackers demonstrated the ability to gain unauthorized access to BMW staff accounts and even manage Mercedes-Benz communication. The infamous Jeep hack in 2015, where specialists remotely controlled a vehicle’s functions, initiated broader scrutiny and accountability for cybersecurity among manufacturers.
Featured image credit: Annie Spratt/Unsplash
