The location of 800,000 VW Group electric cars has been disclosed due to a software vulnerability
Due to a security hole by software company Cariad, the location data of 800,000 VW Group electric cars in Europe was exposed to the public on the Internet for several months. An informant reported the vulnerability to the European hackers' association Chaos Computer Club (CCC) and the German news outlet Spiegel, which linked the information to other personal data such as the owner's name.
Here's What We Know
The problematic software was installed on cars from the Volkswagen, Audi, SEAT and Skoda brands.
The software vulnerability allowed journalists to track the whereabouts of the two German politicians with high accuracy. In particular, it was possible to establish that the member of the German Defence Committee visited his father's nursing home and also travelled to military units. Spiegel also profiled the mayor, whose car collected data on movements from the town hall where she worked to a physiotherapist.
The publication said it found several terabytes of vehicle data in Amazon's cloud storage. This information allowed conclusions to be drawn about the lives of electric car owners. In addition to information about private users, journalists found data on 35 electric cars of the Hamburg police, other politicians, business executives, employees of the German intelligence services and drivers of the Ramstein Air Base of the US Air Force.
The hacker group CCC notified Cariad of the vulnerability. The development company quickly patched the problem.
Cariad told Spiegel that the vulnerability was a "misconfiguration" and that the company does not aggregate data that would allow someone to create a profile about an individual. According to the company, researchers had to merge different data sets, "bypassing several security mechanisms." It also said it was not aware of anyone other than CCC having access to the data in question.
Sources: Spiegel, Chaos Computer Club
