Volkswagen’s bad streak: We know where your car is

Volkswagen has landed in hot water once again. A recent investigation by the Chaos Computer Club (CCC) reveals that the company has been systematically collecting and storing movement data from hundreds of thousands of vehicles across its brands (VW, Audi, Skoda, and Seat). The data, which includes detailed location information and even vehicle owner details, was left exposed and unprotected on the internet for an extended period of time.

Impact of the Breach

This breach has affected not just private car owners but also corporate fleets, executives, and even police authorities across Europe. Sensitive data on government and military activity was also discovered, including information from the Bundesnachrichtendienst (BND) parking lot and a U.S. Air Force military base.

The data collected by VW’s subsidiary, Cariad, includes precise timestamps and location information, such as when the ignition was turned off. This kind of data, when connected with personal details, offers insights into everything from employee movements to surveillance activities.

The real issue here is not only that such sensitive data was collected over extended periods but that it was poorly protected, leaving it vulnerable to exploitation. As Linus Neumann from CCC stated, “The problem is that this data was collected and stored for so long, and the poor protection adds insult to injury.”

Technical background

Researchers identified an “interesting domain” (a specific internet address) used by one of Volkswagen’s subsidiaries using the tool Subfinder. This tool helps in enumerating subdomains for a given domain.

On the identified domain, the researchers conducted a brute force attack targeting publicly accessible directories and files using tools like Feroxbuster or Gobuster. These tools are designed to find hidden directories and files by systematically guessing their names.

Through the brute force attack, they discovered an exposed “debug console” located at /actuator/heapdump. The /actuator/heapdump endpoint is a known resource in Spring Boot applications that allows for diagnostic memory dumps of the server.

The memory dump obtained from the debug console contained sensitive information, including API keys (secretKey and accessKey). These keys provided access to an Amazon S3 resource, which housed the targeted data.

Cariad’s Response

The subsidiary, Cariad, claimed that the data was “pseudonymized”, and:

“The IT security researchers only managed to do this by ‘bypassing several security mechanisms,’ which required a high level of expertise and a considerable amount of time, as well as by combining different data sets.”

How to Protect Yourself Against This Threat:

1. Limit Data Sharing: Always review and adjust the privacy settings on connected vehicle apps and services.
2. Use Encryption: Ensure any sensitive data being shared over the internet is encrypted.
3. Stay Updated: Regularly update your vehicle’s software to patch known vulnerabilities.

More details

For the full report, check out the detailed article published in SPIEGEL.

🎥 Talk about this leak can be found here https://media.ccc.de/v/38c3-wir-wissen-wo-dein-auto-steht-volksdaten-von-volkswagen#l=eng (with english dubbing) [thanks @u/cmd_blue]

🖥️ Slides: https://fahrplan.events.ccc.de/congress/2024/fahrplan/media/38c3/submissions/Q8ZAV9/resources/volksdaten-slides-small_gH8avhn.pdf

🔗 Source: https://www.ccc.de/de/updates/2024/wir-wissen-wo-dein-auto-steht