A security oversight by software company Cariad left the location data of 800,000 VW Group electric cars in Europe exposed on the open internet for several months, a new report claims. A whistleblower informed Spiegel, a German news outlet, and a European hacker association of the vulnerability, which linked the information with other personal details such as an owner’s name.
The security hole allowed the publication to track the location of two German politicians with alarming precision, with the data placing a member of the German Defense Committee at his father’s retirement home and at the country’s military barracks. Spiegel also profiled a mayor, with her car collecting her movements from the town hall where she worked to her physical therapist. It found data for cars from Volkswagen, Audi, SEAT, and Skoda, alongside incredibly detailed data bout VW ID.3 and ID.4 owners.
The publication said it found several terabytes of data accessible on Amazon cloud storage, including the precise location of 460,000 vehicles that could allow it to draw conclusions about the lives of those who own the vehicles. It found information about the Hamburg police department’s 35 electric cars in its fleet, other politicians, business leaders, employees of the Federal Intelligent Services, and drivers to the United States Air Force’s Ramstein Air Base.
The hacker group, the Chaos Computer Club, informed Cariad about the vulnerability, which quickly patched the issue. Cariad told Spiegel that the vulnerability was a “misconfiguration” and that the company doesn’t merge data that would allow someone to create a profile about a person. According to the company, the researchers had to combine different data sets by “bypassing several security mechanisms.” It also said it's unaware of anyone accessing the data other than CCC.
Sources: Spiegel, Chaos Computer Club