[German]The VW Group is at the center of a data scandal in which recorded location data from 800,000 electric vehicles amounting to terabytes was accessible from the cloud. On the one hand, the incident shows what data vehicle manufacturers collect. On the other hand, it shows how quickly unsecured data can reach the public and then be misused for unwanted purposes.
Advertising
Leak of location data from electric vehicles
An anonymus person came across a collection of several terabytes of data stored on Amazon AWS cloud by VW's software development subsidiary Cariad. Due to a "misconfiguration", as the saying goes, this data was probably unsecured and could be accessed on AWS.
The person, who claims to be unnamed, contacted the German Chaos Computer Club (CCC), which investigated the matter with German news magazine Der Spiegel and reported it to VW. The data collection is now protected and can no longer be accessed. A blog reader pointed out this German article on heise. German site Golem has also taken up the topic. Both articles refer to the initial article Datenleck beim Volkswagen-Konzern: Wir wissen, wo dein Auto steht (Data leak at the Volkswagen Group: We know where your car is) from Spiegel Online.
The CCC report
The Chaos Computer Club (CCC) has uncovered the data leak and describes its extent in this German article. The compact version: The Volkswagen Group systematically recorded the movement data of around 800,000 vehicles of the VW, Audi, Skoda and Seat brands and stored it over long periods of time.
According to the Spiegel report, the data collection appears to have started as soon as the vehicle owner installed the Volkswagen app and configured it for the vehicle. The app is required to be able to control certain vehicle functions such as the battery charge status and pre-heating of the vehicle.
Spiegel Online describes this using the example of an VW ID.3 owner, politician Nadja Weippert. The politician (Bündnis 90/Die Grünen) is a member of the Lower Saxony state parliament and is the spokesperson for data protection in her parliamentary group. Spiegel Online writes that Ms. Weippert is also the mayor of Tostedt, a municipality between Hamburg and Bremen. The owner also took a look at the data protection information before activating the Volkswagen app – but I don't assume that she was aware of the extent of the data collection.
Advertising
In its article, Spiegel Online also traces the case of a second politician, CDU member of parliament Markus Grübel from Esslingen am Neckar. Both politicians gave the research team permission to analyze the stored data.
The report shows that Ms. Weippert's vehicle began collecting vehicle data as soon as the app was set up. The data included the exact GPS data of the respective parking location as soon as the vehicle's electric drive was switched off. The collected data was transferred to the manufacturer and stored on AWS servers in the cloud.
The data was linked to the vehicle owner's personal data via the app. CDU member of parliament Markus Grübel appeared in the data under his nickname "Kussi". The Spiegel article makes rather entertaining reading – the Chaos Computer Club sums it up more precisely: Volkswagen uses the movement data to gain insights into the everyday – and especially the not-so-everyday – private lives of hundreds of thousands of vehicle owners.
And due to the nicely paraphrased "configuration error", this data (several terabytes) was accessible to third parties in the AWS cloud. An absolute disaster, even if the company claimed to only want to collect the data pseudonymously in order to improve vehicle technology. heise quotes the CCC, which received information from VW-Cariad that the data was collected "to improve batteries and the associated software".
When analyzing the data, the CCC experts came to the conclusion that the data from 460,000 vehicles is so precise that it allows conclusions to be drawn about the lives of drivers (geodata for VW and Seat models is accurate to within ten centimetres).
During the research, this vehicle data could be linked to personal profiles of vehicle owners. In some cases, it was even possible to map the detailed movement data with addresses and cell phone numbers.
VW-Cariad states that it has never carried out this merging in such a way "that it is possible to draw conclusions about individual persons or create movement profiles". But this is bullshit bingo at its finest – if the data was collected and publicly accessible, any competitor, cybercriminal or bored teenager could make exactly this assignment.
Der Spiegel sums it up succinctly: "We know where your car is parked. We could see who parks at home, at the BND or in front of a brothel and when." Not only private individuals are affected by the data collection, but also fleet managers, board members and supervisory board members of DAX companies as well as various police authorities in Europe.
For example, movement data from 35 electric patrol cars of the Hamburg police was recorded and stored on the VW platform for third parties to view. According to the CCC, sensitive data on intelligence and military activities was also collected: Data records were found from the parking garage of the German Federal Intelligence Service (BND) and from the United States Air Force airbase in Ramstein, among others.
The CCC writes that the information collected by the VW subsidiary Cariad contains precise details on the location and time at which the ignition was switched off. The movement data is linked to other personal data. This also allows conclusions to be drawn about suppliers, service providers, employees and employees or cover organizations of the security authorities.
"The problem is that this data was collected in the first place and stored for such a long period of time. The fact that it was poorly protected on top of that just puts the icing on the cake," said Linus Neumann, spokesman for the Chaos Computer Club.
My 2 cents
This is yet another case that shows how data that is collected opens the door to abuse. And it shows once again how numerous smokescreens are immediately thrown. "The collected data was secured immediately after VW reported the data leak" – in the reports I read praise for how quickly this happened.
And, of course, the wording, that the vehicle data was never merged with the personal data of the vehicle owner should not be missing. However, the mess is that a) the data was collected in the first place and b) it is stored in such a way that it can be merged by third parties. The fact that the data was sloppily secured is the icing on the cake.
I recently read that German vehicle manufacturers are hopelessly behind the curve, especially when it comes to Software Defined Vehicles (SDV). The industry is hungry for (vehicle) data and functions that can be turned into money. I refer to the Spiegel article, in which the authors point out that VW is not an isolated case when it comes to data collection. BMW, Daimler (and also Chinese and US manufacturers) etc. collect data in exactly the same way. And vulnerabilities inevitably lead to misuse by third parties.
Pandora's box has been made wide open – but in the articles in Der Spiegel etc., the CCC praises how cooperatively and quickly VW has reacted and closed the vulnerability. Not a word about the fact that millions of vehicle owners are unintentionally becoming transparent drivers and that vehicle manufacturers must be forced by the EU to allow drivers to become owner of their own data. Sick world.
Advertising
