Thought Leadership
A security breach at VW’s software subsidiary Cariad exposed sensitive location data of approximately 800,000 Volkswagen Group electric vehicles for months. According to SPIEGEL, detailed GPS data and vehicle owners’ personal information were freely accessible through an unprotected Amazon cloud storage.
The data vulnerability affected vehicles from VW, Audi, Seat, and Skoda brands. For roughly 460,000 vehicles, precise location data could be linked directly to owners’ contact information, including names, email addresses, and in some cases, mobile phone numbers. Particularly concerning was the exposure of data belonging to politicians, business leaders, and potentially security agency personnel. For example, the Hamburg Police force’s fleet of approximately 35 electric patrol vehicles had their movement data exposed.
The exposed data encompassed not only GPS coordinates but also included information about battery charge levels, inspection status, and exact timestamps of vehicle activation and deactivation. The breach extended beyond Germany, affecting other European countries and regions. The precision of location tracking varied by brand: VW and Seat models were tracked within 10 centimeters, while Audi and Skoda vehicles were tracked within 10 kilometers. VW’s ID.3 and ID.4 models were documented with particular detail.
Technical Details of the Security Breach
The access to sensitive data didn’t require sophisticated hacking techniques. Using freely available standard tools, hidden subpages on Cariad’s websites could be discovered that were not meant for public access. The file names themselves revealed their sensitive content. A particularly critical discovery was an unprotected storage dump of an internal Cariad application. This highly sensitive file contained unencrypted access credentials to an Amazon cloud storage – essentially the key to all vehicle data.
The Chaos Computer Club, which received the tip about the vulnerability, compared the case to “a huge keyring lying under a too-small doormat.” The lack of protective measures revealed fundamental security deficiencies in the VW subsidiary’s system.
Critical Misuse Scenarios
The data breach, comprising several terabytes, could have been valuable for various actors. Foreign intelligence services could have easily identified which vehicles regularly parked in front of Federal Intelligence Service buildings or at the US Air Force military airfield in Ramstein, according to SPIEGEL.
Beyond intelligence scenarios, the data offered substantial potential for misuse. Fraudsters could have created authentic-looking phishing emails in the name of VW or suppliers to obtain sensitive payment information. The data also provided a dangerous foundation for stalking, as overnight locations and daily movement patterns could be precisely tracked.
The data breach gained additional significance due to its international reach: Since vehicle movements in crisis regions such as Ukraine and Israel were also recorded, the data could have developed military relevance – particularly if certain target persons were among the drivers.
Response and Resolution
Following tips from the Chaos Computer Club, Cariad responded within hours and closed the security gap. The company described the incident as a “misconfiguration” and emphasized that, according to current knowledge, no data had been misused. CCC spokesperson Linus Neumann praised the quick response: “Cariad’s technical team reacted quickly, thoroughly, and responsibly.”
