VW Exposes 800,000 EV Owners’ Private Data in Massive Location Leak

VW’s Connected Car App Leaves Sensitive Data of 800,000 Vehicles Exposed Online

The Volkswagen Group has been in the news lately, and not always for the best reasons. The latest bombshell involves a whistleblower report about the personal data of nearly a million vehicle owners being left unprotected and potentially available to anyone online. But how did it happen?

According to an investigation by German news outlet Spiegel, the location information and personal data of about 800,000 electric vehicle owners – including those of German politicians and other VIPs – was freely accessible on the internet for months. So, what’s the connection?

It all started with a VW app, developed by the company’s subsidiary Cariad, which is designed to be an extension of the car and its features. The app allows owners to start their vehicle remotely, manage climate controls, check battery charging status, and more. Sounds convenient, right? Wrong.

The Data Collection

The app collects GPS information and driving data, which is sent back to the automaker. Cariad claims that "pseudonymized data on customers’ charging behavior and habits" is used to improve batteries and associated software. The company also said that the information isn’t combined with other data sets within the company, making it impossible to connect individual and vehicle profiles.

Or so they thought.

The Vulnerability

It turns out that a misstep left the sensitive information unencrypted and exposed to cyberattack. Although the data wasn’t set up with a dedicated website titled "FREE PERSONAL INFO OF 800K, INCL. POLITICOS," Spiegel reports that it was easy to guess the file extensions, leading to a recent memory dump of an internal Cariad app. No password was required, and the data dump included login credentials to an Amazon cloud storage facility, which contained all the sensitive vehicle data.

The Affected

Of the 800,000 affected vehicles, 300,000 were in Germany. However, Spiegel reports that vehicles in other European countries and elsewhere were also part of the unprotected data population. Whether any were in North America was not specified.

The Risk

The information of 35-plus Hamburg Police patrol EV owners and vehicles owned by suspected intelligence officers were part of the open directory. For some owners, the data was too precise and personal, including location accuracy within 10 cm or 10 km of a vehicle’s location, as well as owner emails, addresses, and phone numbers.

The Response

It wasn’t until Europe’s largest hacker association, the Chaos Computer Club, informed VW Group about the security gap that the issue was handled, and unauthorized access was blocked. Cariad claims to have no evidence of any misuse of data by third parties.

While it’s reassuring that no passwords or payment information was released, it’s unclear what steps Cariad will take to prevent a similar data breach in the future.

The IoT Conundrum

In a world where everything needs to be connected, where do consumer protections lie? Should manufacturers be responsible for securing our data, or is it up to us to disable features that shouldn’t be tracking us? The convenience of remote start may be tempting, but is it worth the risk of identity theft?

The questions are mounting, but one thing is certain: data protection is more crucial than ever in the IoT age.