Connected cars are great, at least until a company leaves unencrypted location data on the Internet for anyone to find. That's what happened to more than 800,000 electric cars produced by the Volkswagen Group after Cariad, an automation software company that handles much of the development tasks for VW, left several terabytes of data unprotected in Amazon's cloud.
According to Motor1, a whistleblower alerted German publication Der Spiegel and hacking collective Chaos Computer Club about the misconfiguration. Der Spiegel and CCC then spent some time sifting through the data, which allowed them to match individual cars to their owners.
βThe security breach allowed the publication to track the location of two German politicians with alarming precision, with the data placing a member of the German Defense Committee in his father's retirement home and in the country's military barracks,β Motor1 wrote.
Cariad has since patched the vulnerability, which had revealed data on the use of Skodas, Audis and Seats, as well as what Motor1 calls “incredibly detailed data” for owners of VW ID.3 and ID.4. The dataset also contained precise location data for 460,000 of the vehicles, which Der Spiegel said could be used to paint a picture of the lives and daily activities of their owners.
Cariad attributed the vulnerability to a “misconfiguration,” according to Der Spiegel, and said there is no indication that anyone other than the publication and CCC had access to the unprotected data.
