cross-posted from: https://infosec.pub/post/21710275
Volkswagen has inadvertently exposed the personal information of 800,000 electric vehicle owners, including their location data and contact details. The breach, which occurred due to a misconfiguration in the systems of Cariad, VW’s software subsidiary, left sensitive data stored on Amazon Cloud publicly accessible for months. The exposed information included precise GPS data, which allowed […] The post Volkswagen Data Breach: 800,000 Electric Car Owners’ Data Leaked appeared first on Cyber Security News.
Thank you Volkswagen for providing the valuable public service of reminding everyone that letting your car have a network connection is a bad idea.
With an EV, my guess is that the charging protocol at public charging stations probably also has the car identify itself and the charging station will record that.
Why on Earth would an electrical car need to identify itself to a charging station?
Except for tracking its whereabouts?
Don’t say for billing, because for payment on all sorts of self service vending machines, which charging stations for electrical cars pretty much are, other solutions (some with just as much tracking potential) have been existing for a long time, no need to reinvent the square wheel here.
According to the article, precise GPS data was stolen. That is much worse than info about when and where you charged your car.
Under GDPR this should incur massive fines. Let’s see how deep the German government is willing to crawl into their exhaust.
Spoiler: aaaaaall the way.
Are there any universal guides (like iFixit) to disable cars cellular network modules?
I don’t actually know if that’s legal anymore, because the SOS function is now required by the EU. (Also, iiuc, this breach apparently came from people who logged into the VW app to preheat their car, etc.)
In some cases, the SIM card isn’t difficult to locate and remove. The problem comes if these chucklefucks decided to make local systems dependent on the data connection (e.g. subscription options)
What possible reason could VW have for collecting this information in the first place?
Data is money. Whatever data a company can legally collect (or get away with illegally collecting), they will collect.
Granted. I should have said “legitimate” reason.
Additionally, 68% of the brands had experienced hacks, security incidents, or data leaks in the previous three years.
That were detected and we know of.
CARIAD is such a clusterfuck.
