Telemetry data from 800K VW Group EVs exposed online Welcome to 2025: hopefully you enjoyed a pleasant holiday season and returned to the security operations center without incident - unlike Volkswagen, which last week admitted it exposed data describing journeys made by some of its electric vehicles, plus info about the vehicle’s owners. We're just as shocked as you that a …
Though for real change it may take using this type of data to target a politician or CEO, or their family. Then maybe the government wakes up to this and we see some strong laws put in place. Otherwise "ban all Chinese EVs because their government will get access to telemetry data" is only a solution if the alternatives don't have that same data exposed not only to China's government but the entire world!
After all, that's exactly what such hardware is designed to do, considering the integrated GPS chip cannot be turned off - only asked nicely to go into a low-power mode (which I figure probably never happens as there's plenty of power from a large battery available).
The real issue wasn't how some mind-clouding server wasn't secured, it was how such information was collected in the first place.
@Neil Barnes
"Not how. Why?"
Way back in the mid- to late nineties, when we were contemplating implementing e-mail and needed to demonstrate the usefulness thereof (and PCs in general) to top management, we inadvertently invented an intranet (I had a small website on my work PC, where I posted useful tips on using Lotus-123, Wordpad, etc., as well as light troubleshooting tips for fixing "non-functioning" PCs, like check power to both PC and monitor, etc, done in HTML1, with Mosaic and later Netscape as browsers. Safe, as we had no general access to the Internet).
We thought of many usrful things to do, but did not really contemplate the miscjef that can be wrought, because why would anyone want to abuse such a system?
I suspect the same applies to top management today. Olus the cost of security outweighs the risks, as far as they are concerned.
So, why would a car manufacturer gather all that data? Simple: telemetry can allow one to alert authorities when it has become clear that a vehicle could be in trouble (accident, stuck in snow, et.).
You can also, as a courtsy service, a courtesy service, advise a vehicle owner about an impending service ("Your vehicle is due for a service in 2 000 km., can we book you in at XYZ on 20 Jan?). The possibiliteies are endless.
So, why would a car manufacturer gather all that data? Simple: telemetry can allow one to alert authorities when it has become clear that a vehicle could be in trouble (accident, stuck in snow, et.).
See icon. I don't want the authorities alerting every time I have a minor bump, if I'm stuck in snow then chances are so is everybody else....
You can also, as ......a courtesy service, advise a vehicle owner about an impending service
I find franchised dealers are very effective at regularly harassing me to use their over-priced and quality-free services. Why do you think they need even more data to do it?
This data gathering has ZERO to do with customer benefit, and simply reflects a mindset that "we can gather all this data, data is the new oil, so let's grab it and keep it".
I've been superficially looking into into the "legal" basis for all these shenanigans (EU/UK based so inhabitants of the great Satan can look away now). Most seem to be on the basis that you're required to divulge huge quantities of PII when buying a new car and on the basis of that "contract" the companies say they have some rights and that without this data no sale! Now my question is : If I bought a new car, and of course I would not be so deceptive concerning all the info they desire, and then promptly sell the car on to a new owner (say my wife), then the contract I had with the car company is now dissolved as presumably are their assumed rights with regards to the car they sold me, Now as I understand it, GDPR would then require them to seek consent from the new owner who of course could refuse. Anyone here with a better understanding of the matter than me (probably most of you!) care to comment on how such a scheme might be used to limit data collection?
Not necessarily. If the data is legally required, they they must gather it. Eg, when buying a TV as the retailer as a requirement to report TV sales and who too, at least in the UK. There will be many other exceptions too. Some countries require ID to by a mobile phone and/or SIM card.
Especially related to buying a car, the retailer/dealer needs your name and address for the "log book" to transfer ownership via DVLA, and may need same or further proof of ID as the purchase price might impinge on money laundering rules. I'm not sure about the legality of asking for driving license, tax, insurance, MoT cert. etc, but most dealers will cite "duty of care" to make sure you are legally entitled to drive the car away.
Yet you fail to point out how or why any of those requirements imply a need to record the buyer's location, and to such accuracy, at the point of sale[1] *or* at any time after the sale.
And you made to attempt at all to explain why *any* data, especially precise location, should be relayed back to the manufacturer at any point after the title has been transferred - either for the car or the telly[2]
[1] I can buy a telly whilst sitting on Laguna Beach, just so long as the licensing people are told it'll be used in Bolton; the car purchase can be completed in the London Ritz, whilst the car is still in Luton - I was going out that way anyway, so what the heck.
[2] "Excuse me, sir, but is there a reason you are now watching the TV in your upstairs bathroom when our records show it was clearly purchased to be used in the downstairs lounge?"
"Anyone here with a better understanding of the matter than me (probably most of you!) care to comment on how such a scheme might be used to limit data collection?"
If you finance a car in the US, often times you are entering into a finance agreement with the dealer who will then sell the contract to a lender unless you come in with your own pre-negotiated financing through your own lender (which the dealer is not going to like). There is a lot of PII that dealer's must collect, store and submit for licensing/registration so, of course, there is no deal if you don't give them all of that. Separately might be a clause that allows them to receive, store, use, sell or transfer ongoing data from the car during your ownership. Companies such as Tesla do allow one to opt-out, but that means no access to Superchargers, no use of their app, no Over-The-Air updates (other than required updates), etc. Pretty much what might make the car easy to own. With the new J3400 standard in the US, Tesla loses the stranglehold over owners being reliant on the mothership for public charging. In other parts of the world, Tesla was required to install CCS connectors and all Tesla vehicles since the later Model S's speak CCS just fine.
While there are laws about data collection and sale, you'd have to prove those laws have been violated. Even if caught, the fines/settlements seem to be much less than earnings so there isn't a massive downside to the companies just carrying on as usual and being a bit more circumspect after they've been caught. If there were jail time (and not waived) for execs and very costly fines, perhaps there would be more compliance.
@AC and the downvoters: It seems that I did not express myself clearly. I did not argue FOR telemetry - I tried to explain how, in naïvity, it can happen that one does not see the negative aspects of something, due to the rose-tinted glasses used that emphasise the positive aspects of a solution whilst completely ignoring or discounting real and even dangerous/detrimental effects.
The examples I gave were used by Ford (USA) and VW (in the case of the Phaeton) as positive, special features of the technology embedded in (at least some of) their models.
I am very much anti telemetry/surveillance because of how corporations and/ot governments can abuse it and begrudge the fact that very positive aspects are nullified by that.
Your response to someone ask "why would I want the company to know my every move in a 'device' I 'own'" is "dude you can totally ping people to go to the dealer again" is an inspired choice.
I think Tennyson had a poem about the consequences of such inspired thinking at the Battle of Balaclava or something like that.
"So, why would a car manufacturer gather all that data? Simple: telemetry can allow one to alert authorities when it has become clear that a vehicle could be in trouble (accident, stuck in snow, et.).
You can also, as a courtsy service, a courtesy service, advise a vehicle owner about an impending service ("Your vehicle is due for a service in 2 000 km., can we book you in at XYZ on 20 Jan?). The possibiliteies are endless."
Those are the excuses to insert the wedge. In reality, the data becomes a source of revenue with a value that escalates with the amount of PII that's included. How many accidents does one person get into if they are a competent driver that would need an automatic dispatch of emergency services? Cars already pop up service reminders so the above example is only a way for a dealer to market themselves so more people might pay outrageous sums for a "110 point inspection" that does nothing.
I prefer that my car isn't informing anybody about my usage, location, destinations, etc. Many think that all of this is innocuous, but it winds up combined with all sorts of other data that's tied with a bow and sold to your employer, insurance company, bank and anybody else with a very modest amount of change in their pocket.
Not for the benefit of the car owner, I suspect.
Indeed not.
Quite apart from VW's own use of this for advertising, for the latest EU-mandated feature of the speed limiter manufacturers are now required to report back to the EU, every 6 months, about how often this "driver aid" is triggered and/or switched off by the user. We soon won't need speed cameras, your car will report you by itself.
[Citation needed]
Regulation (EU) 2019/2144 of the European Parliament and of the Council:
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=PI_COM:Ares(2021)2243084
See specifically Article 4.
I didn't find the 10cm reference. GPS (US) has a 3m accuracy as standard for public consumption. When I was working in avionics for rocket landers, we were able to unlock RT2 (2cm accuracy) with a bunch of money and NASA as a cosigner on the permission form. There's also RT20 which is 20cm accuracy. 3m is fine for vehicles since that's often within the envelope of the car itself. It's also why autonomy won't work with just GPS since a 3m shift to one side would be problematic. 10cm accuracy is unnecessary and, unless things have changed, isn't available to the general public/private industry.
The reason for the built-in error on nav systems is military/national security. The military would be happy with nobody having it at all other than themselves.
Given the performance of my less than a year old car's ability to work out the current speed limit this is worthless.
First of all, it doesn't retain the last known speed limit so when it's started it doesn't know the current speed limit and won't find out unless and until it passes a speed limit sign. Secondly, when presented with a cross roads where a national speed limit crosses a lower limited road and turning from one to the other it does not consistently choose the correct limit. Thirdly it will miss badly placed signs altogether, Fourthly I've seen it pick up the correct limit and seconds later be confused by something - possibly some other street sign - and drop into its don't-know mode.
I've seen it display 30 where the correct value would be 70 and 60 where the correct value would be 30. And to cap it all where I live a network of lanes connect a road at national speed limit and a road at 30 with no signs in between. It's clearly a case of the legislators believing everything the salesmen told them.
Each and every car with a mobile chipset in it is recording how fast you are going at a certain time and the location you are at as long as you have GPS lock (even without GPS lock, they do dead-reckoning - for example the GPS map is still reasonably accurate as you lose GPS lock driving through a tunnel), thus many cars are already reporting every case of speeding.
Such records just aren't being provided to the government at the moment (the legal changes to blatantly rather than secretly permit such a huge human rights violation (the right to privacy) and payment scheme needs to be worked out first).
Also, the amount of ANPR cameras could now make speed-only cameras mostly obsolete - it's just a matter of averaging the speed accounting for the possible routes (the only real blocker to this is how a much bigger monthly payment would be required before the proprietary master would implement that in the proprietary ANPR software).
You could also cut the wires delivering power to the GPS chip, then it doesn't matter how large that battery is. Or if the car is going to annoy you with constant warnings about "GPS error" maybe you cut the antenna wire from the chip leading to the shark fin on the roof?
Though if you're carrying a phone with you in that car it doesn't matter whether your car has GPS or not. Your phone can be triangulated by your cellular provider pretty well. Not within 10 cm but close enough to tell where you've been - including after you've parked your car and are moving about by other means!
>You could also cut the wires delivering power to the GPS chip
The car might stop working or at least some functionality will not work.
What you want to do is unplug the mobile chipset antenna and replace it with a dummy resistor antenna, or cut the antenna off the PCB and solder on a resistor - so the mobile chipset detects an antenna, but no signal.
As a result, you usually will retain GPS functionality without location spying.
>Though if you're carrying a phone with you in that car it doesn't matter whether your car has GPS or not.
It's possible to choose to drive a car without carrying around a tracking device, or to put a tracking device in a faraday bag before going to your car.
>Your phone can be triangulated by your cellular provider pretty well.
They use trilateration now - much more accurate than triangulation.
82% of all new car sales in a single EU country by last May already doesn't sound like "longer than your remaining lifespan".
https://www.forbes.com/sites/jenniferturliuk/2024/05/24/how-norway-increased-evs-to-82-of-new-car-sales-vs-76-in-the-us/
Just because the US lags doesn't mean that the rest of the world is waiting for them to take the lead.
Most countries in the world have instigated ICE bans by 2030 or 2035 at the latest.
Unless you're at death's door, you're going to see majority-EV on the road (not just new sales) in your lifetime, guaranteed.
Apart from Norway not being an EU country, the actual figures for new EV sales across the EU as a whole in the last 12 months is less than 17% of the market, and only forecast to rise to between 22 and 23% this year.
Still a way to go yet, and it looks as though it will still be quite some time before second hand EVs become old enough to be within the affordability range of the those near the bottom end of the payscale and that also assumes that the issues with charging infrastructure and difficulties faced for home charging for those with only on-street parking have been successfully resolved.
There are still a good number of 20+ year old ICE cars going strong in the UK (where winter application of salt to the roads usually ensures cars go to the scrapyard sooner rather than later), and in southern parts of Europe where thay don't suffer the ravages of salt corrosion, similar vehicles are often still commonplace at that kind of age. Like it or not, there will still be a significant demand for liquid fuel for cars for at least the next 20 years, and of course it is unlikely that HGVs, heavy plant and large agricultural machines are going to be able to switch over to electric power anything like as soon as should be possible for cars and small vans.
<......""""Unless you're at death's door, you're going to see majority-EV on the road (not just new sales) in your lifetime, guaranteed""""""......>
Even if ones life expectancy is only another 10 or 15 years, I would suggest that a majority isn't enough to make a difference :(
"... quite some time before second hand EVs become old enough to be within the affordability range of the those near the bottom end of the payscale"
I.e. the normal people.
There's a catch though: Used EV typically needs a new battery and at that point, it will cost more than the rest of the car. Which means EVs will never be in 2k € range with usable battery: The battery alone is worth more than that.
"82% of all new car sales in a single EU country"
Norway isn't an EU country *and* they have *huge* taxes on anything not EV, so your claim is absolutely irrelevant.
Only rich people in Norway can afford a new car in the first place and when your options are literally either Tesla or a Toyota Corolla, it's no wonder people buy a Tesla. Those who can afford it, obviously.
Trying to make that a general rule is just stupid: 50k € cars are *not* selling so much in EU, average being high 30s with a little variance by country. While in Norway it's 44k €.
"Unless you're at death's door, you're going to see majority-EV on the road (not just new sales) in your lifetime, guaranteed."
No you won't. For several reasons.
EVs are *hugely expensive* to buy, even when used and most car owners never have capital to buy them. Then there's the charging problem: You need to own a house to have a charging point. That is not going to change. Also the actual lifetime: About 10 years and then it's scrapped.
Literally toys for rich people, 2nd or 3rd car. For that EVs are good.
I'm driving 25-year-old Skoda just because it was cheap: Any 25-year-old EV is and will be in the scrapyard.
This post has been deleted by its author
This post has been deleted by its author
This post has been deleted by its author
"The EV journey data is being sold so it’s already leaked."
Yup, that's literally what I was thinking too. First VW America morons sells it all to anyone who has money, then someone in the managment says "Ooops" when they realize it's absolutely illegal under GDPR (why would they care about that in America? Or even know about it?) and they create "a leak" to hide the fact it has been on sale for years.
Standard procedure to explain why said data can be found online.
Having an API to connect said AWS-storage? Only reason to have an API in the first place is to enable (paid) access to 3rd parties.
smart & Ai enabled doesn't just mean what it says it could also have "assumed" location tracking services. We know by using phones/desktops they love to track we're doing on them, same with cars I guess. 1984 as always becoming more and more of a reality. The EU should step in here and ask for incognito buttons in cars or service should be disabled by default until user says they want it on. Sometimes it is used by insurance companies to look at someones driving to get lower insurance premiums but they normally give you a device to do this.
I've been moving jobs for the last 10 years and it's interesting how many holes I find when starting a new role, legacy open S3 buckets which no-one could be bothered to find out and clamp down, open 22 access, albeit needs a correct key but this is simple for bods that leave and the keys are never really rotated or even updated. Similar with AWS access credentials, these are very rarely changed and simple for people that come and go and yet they do a pen test every year and get a clean bill of security health. I suppose checks are limited to certain areas and they also asusme these issues don't exist ?
"Customers do not need to take any action, and it's not clear whether any of the data was exposed other than by the researchers."
If it's not clear whether data was accessed by others it's not so much a matter of customers not needing to take action as not knowing it there might be any action they could take whether they needed to or not.
That's in relation to this specific leak. ISTM that if it can be linked to individuals then the collection of the data in the first place is a GDPR violation. Remediation of that is an action customers might well need to consider.
"... if it can be linked to individuals then the collection of the data in the first place is a GDPR violation"
Location can almost always be linked to individuals (indirectly or otherwise) and therefore just collecting it is a GDPR violation, unless there's a business reason to do so.
I'm sure VW does not have any such reason.
I was working for a company which made sport trackers and therefore it had a huge amount of location tracking data and *all* of it was classified as 'personal data', under GDPR.
Major chunk of it was more or less anonymous, but that's not enough. Or at least that's what GDPR-lawyers told us.
Not a problem, company wasn't giving (or even less selling) it to anyone. That stuff wasn't stored in plain text in some open S3 bucket either: A headache at the architecture planning phase.
As a Welshman I feel culturally misappropriated that they use the name Cariad for this data slurping and leaking. Still, at least the wooden spoon is going to the right place /s
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
