A leak at CARIAD, part of the Volkswagen Group, exposed the data of 800,000 electric vehicles. The precise geolocation of drivers was traceable in many cases.
The leak occurred due to a misconfiguration in two of CARIAD’s IT applications. On Nov. 26, the software maker was notified by ethical hackers from the Chaos Computer Club (CCC) about the exposed information. This group reportedly learned of the enormous data breach through a whistleblower.
Precise GPS
Only drivers who connected their cars to the internet and signed up for online services were exposed to the leak. The varying levels of access meant that of the 800,000 EVs, 460,000 cars had their precise geolocation read out with an accuracy of 10 centimeters. Der Spiegel reported that more than 30 Hamburg police cars could be tracked in this way. With the help of IT experts, the newspaper also managed to find the cars of two German politicians in the leak.
CARIAD’s anonymization thus proved insufficient. A memory dump of an application used by CARIAD contained keys to a cloud storage instance on AWS in which the data of Volkswagen customers could be found. Even when a car was off, its geolocation could be seen. Of the 800,000 cars, the ethical hackers found information from 300,000 electric cars in Germany as well as tens of thousands in many other countries.
According to CARIAD, it responded to CCC’s notification within a day. The latter underlines this by saying that CARIAD’s technical team acted “quickly, thoroughly and responsibly” after being informed. In short: given the problematic situation, the leak was closed quickly and taken care of. And fortunately, it seems that the information was traced only by well-intentioned hackers. Nevertheless, it cannot be ruled out that another party acquired the same knowledge unseen, although there is no evidence of it.
The promise of connected cars versus data collection
We have previously concluded that modern cars are a privacy nightmare. In late 2023, Mozilla research showed the depth of automakers’ knowledge about their drivers. 84 percent of automakers sell the data they collect (albeit anonymized). Moreover, many brands’ privacy statements are particularly broad, such as Nissan’s in the U.S., where sexual activity, health diagnoses and genetic information would be free for targeted marketing. How an automaker acquires such knowledge about a user is anybody’s guess. Still, it shows an industry that is anything but privacy-minded.
“Without this data, smart, digital and personalized functions cannot be delivered, optimized or expanded,” is CARIAD’s explanation of the data collection. On top of that, the software maker argues that Volkswagen Group is legally justified in obtaining and storing the data.
This is not the first time a Volkswagen unit has experienced a major leak. For example, 3.3 million Audi customers and interested parties suffered a data breach in 2021. The vast majority of affected individuals were in the U.S., while 163,000 Canadians were also exposed to the leak.
However, that leak involved data that is also potentially stealable from insurers, brokers or legal firms. The difference with the CARIAD leak is that this time the information precisely capitalizes on cars’ accurate sensors, and if tracked over a long period of time could have had serious consequences for individual drivers or security agencies. It remains to be seen whether users recognize that the “smart, digital and personalized functions” within the Volkswagen app are worth such risk. Remotely turning on a charging mode, navigational assistance and anti-theft options sound like useful additions, although the data required to do so seems to be more limited than what was found on CARIAD’s cloud instance.
Also read: European countries face storm of pro-Russian hacktivism