Volkswagen massive data leak caused by a failure to secure AWS credentials

A failure to properly protect access to its AWS environment is one of the root causes of the recent massive Volkswagen data leak, according to a presentation on the incident at the Chaos Computer Club on Dec. 27.

But the security analyst who helped expose the leak said the $351 billion car manufacturer violated its own terms of service as well as regulatory requirements, especially GDPR, by not truncating or encrypting sensitive customer data from more than 15 million enrolled vehicles. 

“They were collecting far too much data,” an IT security analyst who goes by the name of Flüpke told the audience. “If you want to evaluate battery safety, then you don’t need location data.”

The data VW collected, he noted, included a wide range of information, including user data such as name, email address, birthdate and physical address, car data such as VIN, model, year, and full user ID, in addition to EV data points such as odometer, battery temperature, battery status, charging status and warning light data.

The problem of vehicles retaining terabytes of sensitive information about their drivers is hardly new, but it has gotten much worse recently partly because electric vehicles (EVs) collect far more information. Reports of vehicle data retention problems started surfacing more than four years ago.

The issue is that car manufacturers are required to retain some of that data. For example, Flüpke pointed out that the European Union has required some vehicle data collection and sharing since 2018, as part of an EU effort to automatically send help to a vehicle involved in a serious accident. 

Flüpke said that he found the VW data problem by combining various coding tools, including Subfinder, GoBuster and Spring. Using the tools, Flüpke said that he was able to retrieve the heap dump from the VW internal environment because it was not password protected. A heap dump lists various objects within a Java Virtual Machine (JVM), which can reveal details about memory usage. That is supposed to be used for monitoring performance metrics and for introspection examinations.

Within that heap dump were listed, in plain text, various active AWS credentials. When Flüpke confronted VW with the discovery of those credentials, he quoted the company as saying, “the access to the data happened in a very complex multilayered process.”

While that is true, Flüpke said, and the backend is not meant for end users, rather used for token exchange, “you could take an arbitrary userID to generate a JWT token, which is an auth token without a password. That is useful because you can give it a userID and suddenly you are that user. We can’t pilot cars remotely with this, but we can authenticate with an API from this identity provider and access user data.”

 Data journalist Michael Kreil, who also analyzed the data, said during his presentation at the conference that the 9.5TB of event data included geodata coordinates, some of which had accuracy within 10 centimeters. It revealed where people went to work, where they shopped and when, what schools they drive their children to, and information about where law enforcement agents live. 

Flüpke said that VW invalidated the AWS credentials once they were alerted to the problem following the breach.