:max_bytes(150000):strip_icc()/bacon-and-cheese-pigs-in-a-blanket-FT-RECIPE1224-c3c88abb97914f2e96f807ad5d0d40ee.jpeg "Bacon and Cheese Pigs in a Blanket"){kind=spacer}
Things aren’t going so great at Volkswagen right now, and while the latest scandal likely won’t rise to the level of the diesel emissions scandal, a security lapse by VW’s in-house software developer Cariad did expose the locations of about 800,000 electric vehicles to hackers. The app owners used to access many of their cars’ features, including preheating the cars and checking their charge levels, reportedly left the data it gathered largely unprotected, Spiegel reports.
The places people go and the other data that could potentially be used to create a detailed profile of an owner and their movements shouldn’t be accessible by outsiders, but according to Spiegel, multiple terabytes of owner data were stored on Amazon’s cloud and accessible to hackers for months. If the data had been anonymous that would have been bad enough, but it could also reportedly be tied to owners and their contact information, making the situation even worse. Those who are affected, including some local politicians, are not happy:
A whistleblower shared the serious security vulnerability with the Chaos Computer Club and SPIEGEL. Nadja Weippert and Markus Grübel agreed to have reporters examine their cars’ data records more closely for the purpose of their research.
“I’m shocked,” says Weippert when SPIEGEL shows her her location data from the past few months. As a state and local politician, she is exposed to hostility and threats. “It cannot be that my data is stored unencrypted in the Amazon cloud and then not even adequately protected,” she says. “I expect VW to stop this, collect less data overall and anonymize it in any case.”
Grübel also finds the data breach “annoying and embarrassing” and says it does not exactly strengthen confidence in the German car industry. “Especially with regard to autonomous driving and possible manipulative hacking attacks on it, the IT competence of the manufacturers clearly still needs to improve significantly.”
When Spiegel reviewed the data, it was able to see the exact locations of about 460,000 vehicles and could have easily tracked the movements of individuals, including politicians, business executives and even members of the Hamburg police department. Want to see which Volkswagen, Seat, Skoda and Audi owners visit the Artemis brothel in Berlin? Easy peasy. The good news for the brothel’s married clients is that Spiegel is a newspaper, not an international extortion ring. At the same time, if it was possible for journalists to get this information, there’s no reason to believe it wasn’t also available to foreign governments, blackmailers or foreign governments looking to do some blackmail.
The good news is, when members of the Chaos Computer Club contacted Cariad, it reportedly acted fast to fix the problem. As spokesperson Linus Neumann told Spiegel, “The Cariad technical team responded quickly, thoroughly and responsibly.” Still, it’s a huge problem that this was ever an issue in the first place, especially considering how easy the data was to access:
A SPIEGEL team of IT experts and journalists was able to reproduce the vulnerability beforehand. Neither intelligence services, nor spying VW competitors, criminals or even bored teenagers would have had any real challenge in gaining access.
Everything was out in the open, you just had to know where to look. Nothing more than a few freely available computer programs , which are standard tools for criminal hackers and IT security experts, were needed.
To put it simply, they made it possible to find certain Cariad websites and their subpages by systematically guessing, even if some of them are invisible to normal users. This made paths visible that led directly to files whose extensions indicated that they might contain sensitive content. One of these paths led to a copy of the current memory dump of an internal Cariad application. Such a file should not be available on the open Internet at all, or at least not without password protection. Modern security programs and processes should actually be able to detect such an omission. Because this was not the case with Cariad, attackers could have simply downloaded and opened the memory dump. It contained – easily found – the access data for a cloud storage facility at Amazon.
The cloud storage itself contained the data of the individual vehicles, immediately recognizable by the names for the battery charge level, the inspection status and the categories “engine on” and “engine off”. The latter contained not only the time but also the longitude and latitude lines and thus the position of the car when the electric motor was switched off. In the case of VW models and Seats, this geodata was accurate to within ten centimeters, and for Audis and Skodas to within ten kilometers and was therefore less problematic.
Further access data was found elsewhere, this time for a VW-specific service. This allows car owners to create a personal profile via an app and link it to their vehicle. This access data allowed VW’s database to be queried for all registered users of the app – and linked to the first car data set. This made it possible to assign the detailed movement data to individual people, including email addresses and, in some cases, addresses and cell phone numbers. Linus Neumann from the CCC compares it to “a huge bunch of keys lying under a doormat that was far too small.”
Yeah, that’s not good. At all. There’s a lot more to Spiegel’s investigation, too, so be sure to head over there and give the Google-translated article a good read. Unless you speak German, in which case, you’re doing better than most of us.
H/T: Motor1
