Around 800,000 electric cars from the Volkswagen, Audi, Seat, and Skoda brands had their location data available for download without a password on the internet, according to a report by the “Spiegel”.
For Volkswagen models and Seats, the GPS data was accurate to within 10 centimeters, while for Audis and Skodas it was accurate to within 10 kilometers, the magazine writes. In many cases, the vehicle data could be combined with the names and contact details of their owners, as these were also available online. As a result, attackers could have created movement profiles of private individuals, but also of politicians, police cars, and suspected intelligence agency employees, the “Spiegel” reports.
Informants had discovered the massive data collection, which was several terabytes in size, using freely available computer programs that are standard tools in the industry. They reported the problem to the Chaos Computer Club (CCC). CCC spokesperson Linus Neumann compares the security flaw to “a large key ring that was lying under a too small doormat”, as he told the “Spiegel”.
The Lower Saxony state parliament member Nadja Weippert (Green), whose data was allegedly accessible, expressed herself as “shocked”. She expects “VW to shut it down, to collect fewer data, and to anonymize them at the very least”, she said to the magazine.
CDU Bundestag member Markus Grübel, who was also affected, described the data breach as “annoying and embarrassing”, and stated that it does not exactly boost confidence in the German automotive industry, especially with regard to autonomous driving and potential hacking attacks on it, where the manufacturers’ IT competence still needs to be significantly improved.
The Chaos Computer Club had reported the security flaw to Cariad, the Volkswagen subsidiary responsible for the software of the group’s electric cars. Cariad spoke of a “misconfiguration” in the “Spiegel”, but so far, there have been “no indications of an improper use of data by third parties”. For the customers, there is “no need for action, as no sensitive information like passwords or payment data is affected”, the company stated.
Volkswagen uses the data, according to Cariad, to improve batteries and the related software. The company emphasizes that the data is never combined within the group in a way that would allow a person to be identified or movement profiles to be created. The vulnerability has already been fixed by Cariad.