The Hidden Vulnerabilities of Smart Cars: Lessons from the VW Data Breach

• by Anthony Orjally
• Advent IM Blog

The recent VW Group data breach exposed sensitive information of over 800,000 electric vehicle owners, highlighting a critical flaw in the industry’s data management practices. As the automotive industry evolves toward electric and smart vehicles, data privacy is becoming a paramount concern.

Cariad, a Volkswagen subsidiary focused on automotive software, reportedly exposed sensitive data from 800,000 electric vehicle owners by leaving it in an unsecured Amazon cloud storage folder, according to reports.

Modern EVs are essentially rolling computers, equipped with internet connectivity, advanced sensors, and integrated apps, collecting data such as GPS location, travel routes, personal information including: name, address & payment information, driving behaviours and vehicle diagnostics. The more data collected, the greater the risk of breach or misuse.

The concern was raised after a vehicle owner explored an app they were required to download to use the remote functionality of their Volkswagen ID.3. The owner found that the app was collecting precise geolocation data each time the car was turned off, creating a detailed picture of where the owner had been.

The vulnerability was initially uncovered by the Chaos Computer Club (CCC), a European ethical hacking organisation, after being alerted by a whistleblower. CCC verified the issue on November 26 and notified Cariad, granting the company 30 days to secure the exposed data. Cariad attributed the issue to misconfigurations in two IT applications, responded within hours, and expressed gratitude to the CCC for bringing the matter to their attention. Of the 800,000 affected vehicles, 300,000 were in Germany, with tens of thousands also impacted in Norway, Sweden, the UK, the Netherlands, France, Belgium, Denmark, Switzerland, and Austria. As Volkswagen is the parent company of several popular European brands, the breach reportedly affected Audi, SEAT, and Skoda models as well.

The news of the VW breach is a reminder of the pressing warnings issued by the Mozilla Foundation in 2023: modern cars have become veritable “surveillance machines on wheels.” The report highlighted that car companies overall collect too much personal data and that 84% of them share or sell our data with service providers, data brokers, and other businesses we know little or nothing about. Two out of the 25 car brands reviewed as part of the report say that all drivers have the right to have their personal data deleted with 92% giving little to no control over their personal data.

VW is no stranger to a scandal. Nearly a decade ago, it was uncovered that the company had installed “defeat devices” in diesel engines to manipulate emissions tests. Referred to as “Dieselgate,” this revelation sparked widespread outrage, leading to lawsuits, regulatory fines, and a significant hit to VW’s reputation.

Volkswagen isn’t alone, in October 2024, Owners of BYD electric vehicles in Australia reported that the cars’ internal SIM cards could be remotely accessed, allowing external parties to listen to in-car conversations without the driver’s knowledge. BYD’s distributor took steps to resolve the issue, assuring users that all data and SIM information remained secure.

Is there a case for manufacturers to be able to track car user movement? Those in favour of this could argue that tracking by car manufacturers can enhance safety through features like emergency assistance and stolen vehicle recovery, offer personalised user experiences, and support usage-based insurance that rewards safe driving. It could also aids in predictive maintenance by monitoring vehicle performance, helping to prevent breakdowns.

On the other hand, the case against tracking by car manufacturers centres on privacy concerns, as users may not want their movements monitored or recorded. With the collection of this data, there is a potential risk to data security, with breaches, should they occur, leading to misuse of sensitive information. Without clear consent and transparency, tracking can feel intrusive, and there’s a danger of data being used beyond its intended purpose, such as for targeted advertising or surveillance.

Balancing the innovative technology of electric vehicles with data privacy and security requires a multi-faceted approach that addresses both technological advancements and user rights. There are a number of options EV developers should implement into their design including; Privacy by Design, enabling greater user control, establish robust data protection and cyber security procedures and continue to monitor and adapt to new threats and challenges.

Protecting user data is critical for EV developers to prevent the misuse of sensitive information. Data breaches can lead to identity theft, fraud, and physical risks such as stalking or theft if vehicle locations are exposed. By safeguarding personal and location data, developers ensure user safety, maintain trust, and prevent unauthorised access that could compromise both individual security and vehicle functionality. Prioritising data protection mitigates these risks, promotes consumer confidence, and supports the ethical growth of the EV industry.

Read the full story about the VW Breach here – https://www.techradar.com/pro/security/over-800-000-electric-car-owners-and-drivers-may-have-had-private-info-exposed-online

Read the full Monzilla Foundation Report here – https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/