Does anybody know the over-under on how many failure dominoes the Volkswagen Group would drop before the end of 2024? Because the latest one involves a whistleblower report about the personal data of nearly a million vehicle owners being left unprotected and essentially available to anyone online.
According to an investigation by German news outlet Spiegel, location information and personal data of some 800,000 electric vehicle owners—including that of German politicians and other VIPs—that should’ve been private were freely open and accessible on the internet for months. More accurately, everyone knows what you did last summer and since then.
How? Because there’s a VW app for that, and Amazon stored its info using shoddy cloud security.
Developed by VW subsidiary Cariad, its connected car app is intended to be an extension of the car and its features. Like similar automaker apps, the Cariad application allows owners to start the vehicle remotely, manage climate controls, check battery charging status, etc.
What the app also does is collect GPS information and driving data, which is sent back to the automaker. Cariad told Spiegel gathering “‘pseudonymized data on customers’ charging behavior and habits’ is used to improve batteries and the associated software.” Cariad also claimed the info isn’t combined with other data sets within the company, making it impossible to connect individuals and vehicle profiles.
Not that it mattered because a summertime misstep left that sensitive information unencrypted and exposed like an open wound waiting for cyberattack salt. Although the information wasn’t exactly set up with a dedicated website titled “FREE PERSONAL INFO OF 800K, INCL. POLITICOS,” Spiegel says you just had to know where to look, and accessing it would’ve been easy for “even bored teenagers.”
The poor internet security made otherwise invisible Cariad websites and subpages very visible with easy-to-guess file extensions. One such extension led to a recent memory dump of an internal Cariad app. No password was required, and the data dump included log-in credentials to an Amazon cloud storage facility, which contained all the sensitive vehicle stuff.
Of the affected vehicles, 300,000 were in Germany. However, Speigel reports that vehicles in other European countries and elsewhere were also part of the unprotected data population. Whether any were in North America was not specified.
Whose information was ready, willing, and able to be used by those with nefarious intent? Owners of Audi, Seat, Škoda, and Volkswagen EVs. Considering the vehicle price variance, this meant anyone from the local baker or stay-at-home parent to police, politicians, and other people of influence. In fact, 35-plus Hamburg Police patrol EVs and vehicles owned by suspected intelligence officers were part of the open directory.
There were varying levels of lax security, but for 460,000 owners, the unsecured data was too precise and personal. For VW and Seat models, the geodata was accurate within 10 cm (4 inches) of a vehicle’s location. For Audi and Škoda vehicles, the location was pinned within a 10-km range (about 6 miles), which is close enough to suspect a partner of cheating but far away enough to still give one the benefit of the doubt. Other data found included owner emails, addresses, and phone numbers.
Nevertheless, it wasn’t until Europe’s largest hacker association, the Chaos Computer Club, informed VW Group about the security gap that the issue was handled and unauthorized access was summarily blocked. Cariad says that besides the CCC, it has “no evidence of any misuse of data by third parties.” Also, no passwords or payment information was released, so there is no additional action required on the owner’s part. I guess that’s a relief?
Look, everyone’s been hacked at this point. And should we be surprised in this growing IoT world where everything has to be connected? I mean, do I want or need my fridge to talk to my dog’s collar? No, but that’s what was on sale at Costco.
If connected products are all manufacturers offer, should consumer protection be left to the buyer or the producer? Or, better yet, just deactivate things that shouldn’t be tracking you to begin with. Is the convenience of remote start really worth having your identity stolen?