this post was submitted on 27 Dec 2024

206 points (99.0% liked)

Cybersecurity

5861 readers

276 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

206

VW Suffers Major Breach Exposing Location of 800,000 Electric Vehicles (cyberinsider.com)

submitted 1 day ago by minyaen@lemmy.ml to c/cybersecurity@sh.itjust.works

26 comments fedilink hide all child comments

If emphasis wasn't already concentrated on the security of these connected vehicles, major oversight obviously...

top 26 comments

sorted by: hot top controversial new old

[–] MonkderVierte@lemmy.ml 17 points 9 hours ago* (last edited 9 hours ago)

Cariad emphasized that the data involved was not sensitive personal information like passwords or payment details, and no vehicles or services were impacted. Only certain vehicle data from online-connected cars were affected.

Mhm. This is the german version: https://www.heise.de/news/In-der-Cloud-abgelegt-Terabyte-an-Bewegungsdaten-von-VW-Elektroautos-gefunden-10220623.html

Translated: 10 TB of location data, half of it exact enough (10 cm) to allow conclusions to living conditions. Partially connected to app profiles with address and phone number.

[–] sith@lemmy.zip 1 points 7 hours ago* (last edited 7 hours ago)

VW just don't understand software. The car computer in my Passat GTE 2020 is quite broken and they won't fix it even during an 1000 € "official" service. I basically have to hack/flash the computer myself if I want it to become fully functional. Not really what I want to do, considering how much money I've been pouring into this silver beast...

[–] quoll@lemmy.sdf.org 17 points 17 hours ago (1 children)

maybe we could start to reduce the cost of electric cars by not overloading them with all the connected internet of shit crap?!?

i know the kids in china like to have karaoke machines in their cars... but i kinda just want bluetooth for my music and thats it.

[–] atrielienz@lemmy.world 2 points 7 hours ago

It doesn't cost them much of anything to include the modem (which is the main problem), and the data they receive is very valuable. I agree that less tech is good and all new cars (not just electric) are full of stuff I would prefer they came without. But the connected Internet shit also allows for software updates OTA. That's a double edged sword. Without it you'd have to take your vehicle to a dealer if it needed a necessary software update (for a recall for instance). But obviously, having it means they can do things to your car without you even necessarily knowing or understanding what is happening (risky, for multiple reasons, including removing features with a botched software update).

[–] original_reader@lemm.ee 6 points 15 hours ago (2 children)

What happens if I disable the Internet connection of my car?

[–] atrielienz@lemmy.world 4 points 7 hours ago

Depends on the car and whether or not you can even get to that modem connection without tearing apart the interior. The main problem is if it's linked to the main computer (ECU), or similar. If it is, your vehicle may be undrivable. It's better to talk to the company who made your car and have them disable it. You may have to have a lawyer do so. If you're buying a new car it is certainly possible to disagree to those terms that would activate it. But apparently not possible to have them build the car without it (which I think is bogus as hell). There was a big article about this after an investigation by Mozilla more than a year ago. People on reddit (I know !) were pretty mad about it then and they were looking for solutions. The consensus was that some cars you can get to the modem, some cars you can't.

Also, you may not be able to receive necessary software updates (recalls etc) if you do disable it.

[–] MonkderVierte@lemmy.ml 1 points 9 hours ago* (last edited 7 hours ago) (2 children)

You are not allowed to drive anymore; your car needs to be able to call emergency response. Is an EU rule.

Edit: called eCall, compulsory.

When eCall is activated, it connects to the nearest emergency response centre, using both a telephone and data link. This allows you and the passengers in the vehicle to communicate with the emergency centre operator and at the same time, a minimum set of data is automatically transmitted (your exact location, the time of the accident, your vehicle's identification number and direction of travel). This allows the emergency services to assess and manage your situation.

[–] Mr_Blott@feddit.uk 3 points 7 hours ago* (last edited 7 hours ago) (1 children)

Your eCall system is only activated if your vehicle is involved in a serious accident. The rest of the time the system remains inactive. This means that when you are simply driving your vehicle, no tracking (registering your car's position or monitoring your driving) or transmission of data takes place.

When a call is made through your 112-based eCall system, your personal data is processed according to EU data protection rules. This means that the emergency services only receive the limited data they need to deal with the accident situation, your data is not stored for any longer than necessary, and is removed when no longer required. Read more about EU data protection and privacy rules.

Important bit emphasised

[–] MonkderVierte@lemmy.ml 1 points 3 hours ago (2 children)

Yes, thanks. My question is more, if the vendor already has to add a sim card and data plan, are they forbidden from using it for other things?

[–] gloriousspearfish@feddit.dk 1 points 1 hour ago (1 children)

They don't need a sim and days plan, if they only call 112.

[–] MonkderVierte@lemmy.ml 1 points 12 minutes ago

using both a telephone and data link. […] a minimum set of data is automatically transmitted (your exact location, the time of the accident, your vehicle's identification number and direction of travel).

[–] Mr_Blott@feddit.uk 1 points 1 hour ago (1 children)

G D P R

[–] MonkderVierte@lemmy.ml 1 points 11 minutes ago

Can't sue if nobody knows about it.

[–] InFerNo@lemmy.ml 2 points 9 hours ago

That sounds like it should be able to make a mobile call, not connect to the internet, but they probably require the latter.

[–] MakingWork@lemmy.ca 61 points 1 day ago (1 children)

Article says the following was breached:

Detailed location logs showing exactly where and when cars were parked.

Personal information of owners, such as names, email addresses, and phone numbers.

Insights into users’ routines, workplaces, leisure spots, and even sensitive visits, such as government offices, hospitals, and private establishments.

That is a lot of information about a person's life.

[–] Zorsith@lemmy.blahaj.zone 17 points 17 hours ago

Aggregating information can increase its sensitivity level, government employees deal with this on a regular basis; why are they giving data breeches like this the kiddie gloves?

[–] sudo42@lemmy.world 15 points 20 hours ago (1 children)

Cariad emphasized that the data involved was not sensitive personal information like passwords or payment details, and no vehicles or services were impacted. Only certain vehicle data from online-connected cars were affected.

The company said "no[t] sensitive personal information" was involved. Nothing to see here. Move along. /s

What they actually said was, "None of our personal information was exposed, so we're not concerned."

[–] original_reader@lemm.ee 7 points 15 hours ago

Fortunately we can always trust what Volkswagen says.

Not.

[–] Someonelol@lemmy.dbzer0.com 33 points 23 hours ago (1 children)

This won't persuade legislators to pass vehicle privacy laws one bit. Not until it personally affects them.

[–] taladar@sh.itjust.works 28 points 23 hours ago (1 children)

So what you are saying is that unless the next CEO assassin uses vehicle data to figure out where his target is it won't happen?

[–] Someonelol@lemmy.dbzer0.com 12 points 22 hours ago

Well if you frame it like that you might get their attention sooner.

[–] cyborganism@lemmy.ca 42 points 1 day ago (1 children)

Man... just stop putting complex computers that connect online, turning every fucking thing from your toaster to your whole house into an IoT. We don't need this.

I just want four wheels with a steering wheel and a couple of pedals to operate my electric car. Not a god damn glorified tablet on wheels.

[–] taladar@sh.itjust.works 39 points 1 day ago (1 children)

As people have been saying for years, the S in IoT stands for security.

[–] cyborganism@lemmy.ca 9 points 23 hours ago

😂 😂 😂 😂

[–] BearOfaTime@lemm.ee 12 points 1 day ago

All together now:

I. Told. You. So.

[–] sunzu2@thebrainbin.org 1 points 22 hours ago

Fuck the pedons harder, daddies