cross-posted from: https://infosec.pub/post/21710275

Volkswagen has inadvertently exposed the personal information of 800,000 electric vehicle owners, including their location data and contact details. The breach, which occurred due to a misconfiguration in the systems of Cariad, VW’s software subsidiary, left sensitive data stored on Amazon Cloud publicly accessible for months. The exposed information included precise GPS data, which allowed […] The post Volkswagen Data Breach: 800,000 Electric Car Owners’ Data Leaked appeared first on Cyber Security News.

    • DerArzt@lemmy.world
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      8 days ago

      …man if only there was something in my pocket that has an infotainment app that auto makers can add to their cars that provided that functionality without the automakers needing to add much.

      If only right?

      • Noxy
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 days ago

        That just shifts the privacy problems from the automaker to the smartphone OS maker.

        I use GrapheneOS which only within the last year got Android Auto support, and even then it requires giving Google shit a lot of deep access to stuff I really don’t want to give.

        Carplay and Android Auto should not be the only options (like when the car native nav is requires for stuff like battery preconditioning)

      • NotMyOldRedditName@lemmy.world
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        edit-2
        8 days ago

        So, car manufacturers have to give up control of their car and use software by other people which will impose limitations on them. Gotcha. And everything needed for that to work is exactly what they would need to add if they did it themselves, except a cell connection (edit: and the GPS)

        • DerArzt@lemmy.world
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          8 days ago

          I take it you’re not familiar with apple car play and Google auto (which I was eluding to).

          • NotMyOldRedditName@lemmy.world
            link
            fedilink
            arrow-up
            3
            arrow-down
            1
            ·
            edit-2
            8 days ago

            You connect your phone to it, and then it takes over some displays in the cars infotainment unit.

            But that means it needs a screen. The car already has a computer in it, so it could output it’s own stuff to the screen if it really wanted to.

            Everything they need to show you a map is already there in the car if they wanted to write the software themselves, add a gps, and a cellular connection.

            Edit: And by making this the main system, they give up control of a critical part of the car. If it’s optional and not the only system, then they likely have their own software stack with maps and a gps/cellular connection anyway.

            Edit: And just to be clear, you statement of

            Why the fuck do cars need to be connected to the Internet all the time?

            And your response is, but the car should be connected to the internet and have all the internet connectivity that people want, but i just want it to be through my phone, and I want the OEMs to be beholden to Apple and Google in the process because of that demand.

            • JacobCoffinWrites@slrpnk.net
              link
              fedilink
              arrow-up
              1
              ·
              8 days ago

              I’m not the person you’re talking to but none of that sounds like a feature to me (or like it benefits anyone but the car company). My ideal car has the infotainment system (if there is one) air gapped from any other onboard system entirely (I’ll begrudgingly accept an isolated camera for backing up).

              I want my car to be as dumb as possible. I don’t want it to receive software updates unless there’s been a recall and they hook up an OBD device. I don’t want it to connect to the Internet at all, for any reason. I don’t want to worry about whether connecting a phone to play audio over the speakers is a vector for malware to reach the point where it can lock the brakes on the highway or brick the car or fry the battery. I don’t want to worry about whether the company is using the onboard GPS to track my movements so it can sell them to third parties.

              There’s this endless push to make everything a rental service reflected even in your framing of the car as belonging to their manufacturer. If I bought the thing it’s my car, not theirs. I don’t want them to be able to kill the thing through a bad patch or when my owning it isn’t profitable enough to them anymore. If it has a screen for a radio etc it would ideally be a standardized unit easily swappable for other aftermarket parts, not the brain of the car.

              Maybe these demands are unreasonable but they’re a big part of the reason I’ve stuck with my cheap old ICE vehicle for now rather than switch to a higher tech, less secure machine even though an electric vehicle would be better aligned with my values and lifestyle. Eventually I’ll find something simple enough or build one from a kit or something. That’s part of why I keep an eye on this community, waiting for something that seems simple and secure enough.

              I hope that makes sense.

              • NotMyOldRedditName@lemmy.world
                link
                fedilink
                arrow-up
                3
                ·
                edit-2
                8 days ago

                Ya, that makes sense, I’m not sure that’s what you’re ever going to get though. I don’t know if all OEMs will move to OTA updates, but that’s still only a portion of what you mention there. Even with the software if it was a dumb car with a completely isolated infotainment, I’m not sure you could ever prevent them from updating it if you had to take it in for a recall that required a software update? Its your car, but its their software.

                Ultimately, they are computers on wheels now, and with the requirement of all the new safety features like pedestrian detection, AEB breaking, backup cameras, it all requires a computer, and it’s just going to increase from here.

                • JacobCoffinWrites@slrpnk.net
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  8 days ago

                  Yeah I’m not holding out a lot of hope, especially from normal dealership models. If I find something that fits it’ll probably be a secondhand commercial vehicle, a really cheap Chinese off brand I’ll never be allowed to import, or something intended to be recreational along the lines of La Bagnole. Or some kind of diy kit - there were some really cool homebuilt EVs made from scrapped Tesla parts and old ICE vehicles but I’m still just learning about fixing cars so that’s a long way off. For now I’m just driving less and using a bike when I can.

    • Someonelol@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      8 days ago

      I’m no cyber security expert, but couldn’t a dumb car whose console occasionally hooks up to your phone to provide navigation data work just as fine with fewer security holes?

      • NotMyOldRedditName@lemmy.world
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        8 days ago

        You can, but now you’ve built a car that depends on something else for a core feature people want.

        There’s nothing stopping them from building a car with an LTE connection that only connects to the display for navigation as well with it’s own CPU and everything 100% air gapped from the rest of the car system, but you limit your functionality when you do that as well.