Focus Mode
Info Data Leak

Volkswagen’s Cariad Reveals Location Info for 800,000 Electric Cars

SecurityOnline

Threat Actor: Chaos Computer Club (CCC) | Chaos Computer Club
Victim: Volkswagen’s Cariad | Volkswagen’s Cariad
Price: N/A
Exfiltrated Data Type: Location data of electric vehicles

Key Points :

  • A misconfiguration in Cariad’s software exposed the location data of approximately 800,000 electric vehicles.
  • The breach was discovered by the Chaos Computer Club, which reported the vulnerability on November 26th.
  • The exposed data included precise location information, raising serious privacy concerns.
  • The breach primarily affected vehicles in Europe, with the majority located in Germany (300,000 vehicles).
  • Over 30 vehicles belonged to Hamburg police patrol cars, indicating sensitive location exposure.
  • Location data for two German politicians was also identified, highlighting potential misuse.
  • Access keys to a Cariad cloud storage instance were discovered, indicating a serious security vulnerability.

A “misconfiguration” in Volkswagen’s automotive software subsidiary, Cariad, has led to a significant data breach, exposing the location data of approximately 800,000 electric vehicles across its brands, including VW, Audi, Skoda, and Seat.

This revelation comes from a report by German news magazine Spiegel, which details how the Chaos Computer Club (CCC), Europe’s largest ethical hacker organization, discovered and reported the vulnerability to Cariad on November 26th.

The CCC, acting on a tip from a whistleblower, found that the exposed data included precise location information for some vehicles, raising serious privacy concerns. As Spiegel notes, this data “could potentially be linked to the names and contact details of drivers,” enabling the creation of detailed movement profiles.

Cariad acknowledged the breach, attributing it to a “misconfiguration” – essentially, a preventable error in the system’s setup. A Cariad representative informed that the exposed data affected only internet-connected vehicles registered for online services.

Spiegel reports: “In the case of VW models and Seats, this geodata was accurate to within ten centimeters, and for Audis and Skodas to within ten kilometers and was, therefore, less problematic.”

The breach affected vehicles primarily in Europe, with the majority in Germany (300,000), followed by Norway (80,000), and Sweden (68,000).

The CCC’s investigation uncovered a concerning level of detail:

  • Sensitive locations: Over 30 vehicles belonged to Hamburg police patrol cars, with others linked to suspected intelligence service employees.
  • Public figure tracking: Spiegel’s team, using freely available software, identified location data for two German politicians, highlighting the potential for misuse.
  • Cloud storage vulnerability: The hackers discovered access keys to a Cariad cloud storage instance on Amazon, where customer vehicle data was stored, within a memory dump from an internal Cariad application.

While Cariad maintains that accessing the data required bypassing multiple security mechanisms and that individual vehicle data was pseudonymized, the CCC’s findings demonstrate the potential for exploitation. This incident underscores the growing cybersecurity challenges facing the automotive industry as vehicles become increasingly connected and data-driven.

Related Posts:

Original Source: https://securityonline.info/volkswagens-cariad-exposes-location-data-of-800000-electric-vehicles/

Tags: CLOUD, VULNERABILITY