Connected cars are great—at least until some company leaves unencrypted location data on the Internet for anyone to find. That’s what happened with over 800,000 EVs manufactured by the Volkswagen Group, after Cariad, an automative software company that handles much of the development tasks for VW, left several terabytes of data unprotected on Amazon’s cloud.
According to Motor1, a whistleblower gave German publication Der Spiegel and hacking collective Chaos Computer Club a heads-up about the misconfiguration. Der Spiegel and CCC then spent some time sifting through the data, with which allowed them to tie individual cars to their owners.
“The security hole allowed the publication to track the location of two German politicians with alarming precision, with the data placing a member of the German Defense Committee at his father’s retirement home and at the country’s military barracks,” wrote Motor1.
Cariad has since patched the vulnerability, which had revealed data about the usage of Skodas, Audis, and Seats, as well as what Motor1 calls “incredibly detailed data” for VW ID.3 and ID.4 owners. The data set also included pinpoint location data for 460,000 of the vehicles, which Der Spiegel said could be used to paint a picture of their owners’ lives and daily activities.
Cariad ascribed the vulnerability to a “misconfiguration,” according to Der Spiegel, and said there is no indication that anyone aside from the publication and CCC accessed the unprotected data.