Stored in the cloud: Terabytes of movement data from VW electric cars found
Subsidiary responsible for software development at Volkswagen stored movement data from around 800,000 electric cars in such a way that it was easy to access
(Image: Cariad)
A subsidiary of the Volkswagen Group has stored extremely detailed movement data from 800,000 electric cars in the Amazon cloud in such a way that intelligence services, competitors, criminals or "bored teenagers" could have accessed it without great difficulty. This was reported by Spiegel Online, citing research carried out in collaboration with the Chaos Computer Club (CCC). According to the report, the data was discovered by an anonymous whistleblower and checked against the data of a member of the Lower Saxony state parliament and a member of the Bundestag, among others.
Data on vehicles from several VW brands
The data was collected by the VW subsidiary Cariad, which is responsible for the car manufacturer's software development. Due to a "misconfiguration", the data was not sufficiently secured. According to Spiegel Online, this involves several terabytes of location data from vehicles of the VW, Seat, Audi and Skoda brands. The data was collected by the Volkswagen app, which can be used to call up various information on the condition of the vehicles. The data discovered for 460,000 vehicles is so precise that it allows conclusions to be drawn about the lives of the people behind the wheel. The geodata for VW and Seat models, for example, is accurate to within ten centimeters.
According to the research, some of the data could be linked to personal profiles of vehicle owners. In some cases, the detailed movement data could even have been merged with addresses and cell phone numbers. CCC spokesperson Linus Neumann speaks of a "huge bunch of keys lying under a doormat that was far too small". Cariad explained that the data had been collected "to improve batteries and the associated software". The merging described had never been carried out "in such a way that it is possible to draw conclusions about individual persons or create movement profiles".
Videos by heise
Disastrous "misconfiguration"
After the CCC was made aware of the accessible data collection, Cariad and the VW Group headquarters, among others, were informed. The subsidiary reacted within a few hours and did not even try to play down the extent of the incident. In the meantime, the gap has also been plugged and unauthorized persons can no longer access the data. According to the report, the "misconfiguration" was a copy of the latest memory dump of a Cariad application. This contained the access data to the cloud storage at Amazon, where the transaction data was stored.
According to Spiegel Online, unauthorized persons could have used the data to find out, for example, which vehicles regularly park in front of secret service or US military buildings and to whom they belong. It could also have been used to find out which cars regularly stop in front of a brothel, a prison or addiction clinics, for example, and thus initiate blackmail attempts. The data would also have been extremely useful for stalking. According to Cariad, however, there are currently no indications that third parties other than the CCC had access to the data. However, the analysis has not yet been completed.
(mho)
