Cariad, VW Group’s software arm, made this classic error.
Personal data from hundreds of thousands of cars sat unsecured for about six months. Volkswagen was keeping it in an Amazon cloud storage instance, but didn’t secure the keys.
The big German firm ist sehr verlegen. In today’s SB Blogwatch, we hope for a safer 2025.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 2024 in film.
CCC: Cariad Car Chaos
What’s the craic? Patrick Beuth, Flüpke, Max Hoppenstedt, Michael Kreil, Marcel Rosenbach and Rina Wilkin are lost in translation: We know where your car is
“It is a disgrace”
Several terabytes of data on around 800,000 electric cars was largely unprotected and accessible for months in an Amazon cloud storage system. VW, Seat, Audi and Skoda vehicles in … Europe and other parts of the world are affected. And … much of the vehicle data could be linked to the names and contact details of the drivers [or] owners.
…
Precise location data was available for 460,000 vehicles, allowing conclusions to be drawn about the lives of the people behind the wheel [including] the Hamburg police … and suspected intelligence service employees. … It might be interesting for foreign intelligence services to see whose car is parked near Federal Intelligence Service buildings or is driving to the U.S. Air Force airfield in Ramstein … every day.
…
It is a more than embarrassing glitch. … It is a disgrace. … Especially in the area of security of private data, which the Germans like to cite as a location advantage over the much more lax USA. [Not] even bored teenagers would have had any real challenge in gaining access. Everything was out in the open, you just had to know where to look.
Oops. Thanos Pappas accelerates: Massive VW Data Leak
“Urgency”
Sometimes, the worst breaches come not from shadowy cybercriminals but straight from the companies we trust. … Someone with the right know-how could casually snoop on your car’s whereabouts and habits. … And not just briefly, but for months on end.
…
This glaring error originated from Cariad, a VW Group company that focuses on software, due to an error that occurred in the summer of 2024. An anonymous whistleblower used freely accessible software to dig up the sensitive information and promptly alerted Chaos Computer Club (CCC), Europe’s largest [ethical] hacker association. … According to CCC, Cariad’s technical team “responded quickly, thoroughly and responsibly,” blocking unauthorized access to its customers’ data.
…
[But] automakers need to ensure they’re doing more than playing catch-up. … It’s time for the auto industry to treat cybersecurity with the same urgency as crash safety.
What has VW got to say for itself? Ionut Ilascu indicates: Customer data from 800,000 electric cars and owners exposed online
“Access keys”
Cariad says … access to the car data was possible due to … incorrect configuration in two IT applications [and] that the CCC hackers could access the data only after bypassing several security mechanisms that required significant time and technical expertise. [But] a team of IT experts and journalists … found location details collected from the cars of two German politicians … using freely available software.
…
[They] searched for exposed Cariad assets that contained files with sensitive information, which led to finding a copy of a memory dump from an internal Cariad application. Inside the memory dump the hackers discovered access keys to a cloud storage instance on Amazon.
How can car firms avoid data loss? Don’t collect it in the first place! So says cherryteastain:
We need a way to disable vehicle telemetry. No, a software switch is not enough.
We need to be able to physically unplug the cellular modem entirely and have the vehicle work with 100% functionality (barring features which inherently require cellular connectivity). … Car manufacturers’ features are mostly useless anyway thanks to Android Auto/Apple CarPlay.
But would that work? Zarhan has first hand experience:
I’m so darn glad I disabled GPS on my car. … Day one after getting home with the car was to hook up OBDEleven into it, go to the telematics module, and disable GPS. … The location info has shown the car being parked in my yard for the past four years.
…
Only problem is that the remote control functions like heating and the like start to fail every few months, because apparently the protocol used between the car and VW Group’s servers have some timestamps in them, and after a few months the car’s clock has started drifting. So I’ll enable GPS for a few minutes to get the clock back into sync and then disable it again.
How does such a leak happen? After all, VW Group is hardly a fly-by-night operation. Žilvinas has seen it all before:
That’s pretty common in legacy enterprises. No one really understands anything about IT safety. All they care about is getting expensive lawyers to write GDPR compliance papers.
Is this the en****tification of legacy cars? oellegaard thinks it’s a wider problem:
I own both a Mercedes and a Skoda (owned by VW) and I feel like both companies are headed in an extremely bad direction. … Now Mercedes wants to charge me 200–300 USD/year for navigation and the ability to remotely lock your door.
…
I don’t have any faith in Tesla either. … If I were to buy a car today, I’m not sure where to look.
But shouldn’t there be an opt in? Smidge204 eyerolls furiously:
Tell me you’ve never leased or purchased a new car without telling me. Surely you’re aware that the process involves a certain amount of paperwork? What do you suppose they need so many signatures for?
Spoiler alert: One of those is agreeing to the Terms of Service for their telematics service, giving them permission to spy on your driving habits. … It’s all there buddy, have fun.
Meanwhile, how might one exploit such a vuln? olddog2 shows off a new trick: [You’re fired—Ed.]
Find the guys who usually park at expensive family homes, but occasionally visit a known brothel. Then blackmail them.
And Finally:
How does this only have 100 views?
Previously in And Finally
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Rutger van der Maar (cc:by; leveled and cropped)
