{"id":1389,"date":"2025-01-02T19:51:26","date_gmt":"2025-01-02T19:51:26","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1389"},"modified":"2025-01-02T19:51:26","modified_gmt":"2025-01-02T19:51:26","slug":"volkswagen-massive-data-leak-caused-by-a-failure-to-secure-aws-credentials","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1389","title":{"rendered":"Volkswagen massive data leak caused by a failure to secure AWS credentials"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A failure to properly protect access to its AWS environment is one of the root causes of the recent massive Volkswagen data leak, according to a presentation on the incident<\/a> at the Chaos Computer Club on Dec. 27.<\/p>\n

But the security analyst who helped expose the leak said the $351 billion car manufacturer violated its own terms of service as well as regulatory requirements, especially GDPR<\/a>, by not truncating or encrypting sensitive customer data from more than 15 million enrolled vehicles.\u00a0<\/p>\n

\u201cThey were collecting far too much data,\u201d an IT security analyst who goes by the name of Fl\u00fcpke told the audience<\/a>. \u201cIf you want to evaluate battery safety, then you don\u2019t need location data.\u201d<\/p>\n

The data VW collected, he noted, included a wide range of information, including user data such as name, email address, birthdate and physical address, car data such as VIN, model, year, and full user ID, in addition to EV data points such as odometer, battery temperature, battery status, charging status and warning light data.<\/p>\n

The problem of vehicles retaining terabytes of sensitive information about their drivers is hardly new, but it has gotten much worse recently partly because electric vehicles (EVs) collect far more information.\u00a0Reports of vehicle data retention problems<\/a> started surfacing more than four years ago. <\/p>\n

The issue is that car manufacturers are required to retain some of that data. For example, Fl\u00fcpke pointed out that the European Union has required some vehicle data collection and sharing since 2018, as part of an EU effort to automatically send help to a vehicle involved in a serious accident.\u00a0<\/p>\n

Fl\u00fcpke said that he found the VW data problem by combining various coding tools, including Subfinder, GoBuster and Spring.\u00a0Using the tools, Fl\u00fcpke said that he was able to retrieve the heap dump from the VW internal environment because it was not password protected. A heap dump lists various objects within a Java Virtual Machine (JVM), which can reveal details about memory usage. That is supposed to be used for monitoring performance metrics and for introspection examinations.<\/p>\n

Within that heap dump were listed, in plain text, various active AWS credentials. When Fl\u00fcpke confronted VW with the discovery of those credentials, he quoted the company as saying, \u201cthe access to the data happened in a very complex multilayered process.\u201d<\/p>\n

While that is true, Fl\u00fcpke said, and the backend is not meant for end users, rather used for token exchange, \u201cyou could take an arbitrary userID to generate a JWT token, which is an auth token without a password. That is useful because you can give it a userID and suddenly you are that user. We can\u2019t pilot cars remotely with this, but we can authenticate with an API from this identity provider and access user data.\u201d<\/p>\n

\u00a0Data journalist Michael Kreil, who also analyzed the data, said during his presentation at the conference that the 9.5TB of event data included geodata coordinates, some of which had accuracy within 10 centimeters. It revealed where people went to work, where they shopped and when, what schools they drive their children to, and information about where law enforcement agents live.\u00a0<\/p>\n

Fl\u00fcpke said that VW invalidated the AWS credentials once they were alerted to the problem following the breach. <\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A failure to properly protect access to its AWS environment is one of the root causes of the recent massive Volkswagen data leak, according to a presentation on the incident at the Chaos Computer Club on Dec. 27. But the security analyst who helped expose the leak said the $351 billion car manufacturer violated its […]<\/p>\n","protected":false},"author":0,"featured_media":1384,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1389","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1389"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1389"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1389\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1384"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1389"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}