Excerpt from CSO Online Article, Published on Jan 2, 2025.
Volkswagen, one of the world’s largest car manufacturers, faced a significant data breach due to a failure to secure its AWS credentials. The incident, revealed during a presentation at the Chaos Computer Club on December 27, exposed sensitive information from over 15 million vehicles and raised questions about the company’s compliance with regulatory and internal security standards. The breach occurred when an unprotected heap dump from Volkswagen’s internal environment was accessed. This dump, meant for monitoring performance metrics, contained active AWS credentials in plain text. Security analyst Flüpke, who discovered the breach, explained that these credentials allowed unauthorized access to user data through token exchanges. By using an arbitrary user ID to generate authentication tokens, attackers could access sensitive customer information without needing a password.
The compromised data included personal details such as names, email addresses, birthdates, and physical addresses, alongside vehicle-specific data like VIN numbers, odometer readings, and geolocation coordinates. The latter raised significant privacy concerns, as some coordinates revealed locations with an accuracy of up to 10 centimeters, disclosing where users worked, shopped, and even where law enforcement officers lived. In addition to failing to protect its AWS environment, Volkswagen violated its own terms of service and regulatory requirements like GDPR by not encrypting or truncating sensitive data. Critics, including data journalist Michael Kreil, emphasized that excessive data collection by EVs, including unnecessary location data, exacerbates privacy risks.
Following the breach, Volkswagen invalidated the exposed AWS credentials, but the incident underscores broader issues in cloud security. Flüpke noted that vulnerabilities like these can often be exploited through common tools such as Subfinder and GoBuster. This breach serves as a stark reminder of the importance of securing AWS credentials and implementing robust cloud security measures to protect sensitive data in an increasingly connected world.
To delve deeper into this topic, please read the full article CSO Online.
