this post was submitted on 27 Mar 2025
93 points (94.3% liked)

Europe

5078 readers
1777 users here now

News and information from Europe 🇪🇺

(Current banner: La Mancha, Spain. Feel free to post submissions for banner images.)

Rules (2024-08-30)

  1. This is an English-language community. Comments should be in English. Posts can link to non-English news sources when providing a full-text translation in the post description. Automated translations are fine, as long as they don't overly distort the content.
  2. No links to misinformation or commercial advertising. When you post outdated/historic articles, add the year of publication to the post title. Infographics must include a source and a year of creation; if possible, also provide a link to the source.
  3. Be kind to each other, and argue in good faith. Don't post direct insults nor disrespectful and condescending comments. Don't troll nor incite hatred. Don't look for novel argumentation strategies at Wikipedia's List of fallacies.
  4. No bigotry, sexism, racism, antisemitism, dehumanization of minorities, or glorification of National Socialism.
  5. Be the signal, not the noise: Strive to post insightful comments. Add "/s" when you're being sarcastic (and don't use it to break rule no. 3).
  6. If you link to paywalled information, please provide also a link to a freely available archived version. Alternatively, try to find a different source.
  7. Light-hearted content, memes, and posts about your European everyday belong in !yurop@lemm.ee. (They're cool, you should subscribe there too!)
  8. Don't evade bans. If we notice ban evasion, that will result in a permanent ban for all the accounts we can associate with you.
  9. No posts linking to speculative reporting about ongoing events with unclear backgrounds. Please wait at least 12 hours. (E.g., do not post breathless reporting on an ongoing terror attack.)

(This list may get expanded when necessary.)

We will use some leeway to decide whether to remove a comment.

If need be, there are also bans: 3 days for lighter offenses, 14 days for bigger offenses, and permanent bans for people who don't show any willingness to participate productively. If we think the ban reason is obvious, we may not specifically write to you.

If you want to protest a removal or ban, feel free to write privately to the mods: @federalreverse@feddit.org, @poVoq@slrpnk.net, or @anzo@programming.dev.

founded 9 months ago
MODERATORS
federalreverse@feddit.org
poVoq@slrpnk.net
anzo@programming.dev
93
Brussels is ‘behind the curve’ as Chinese spy-EVs become commonplace (www.euractiv.com)
submitted 6 days ago* (last edited 6 days ago) by zaxvenz@lemm.ee to c/europe@feddit.org
34 comments fedilink hide all child comments
 

China’s secret services could use sensors and cameras in the cars to monitor secure areas, wiretap passenger conversations and access phones that are plugged into the vehicle, CSRI senior policy director Sam Goodman said.

you are viewing a single comment's thread
view the rest of the comments
[–] Saleh@feddit.org 7 points 5 days ago (1 children)

Misconfigured to the point that all the data was collected, centrally stored and then accessible from the outside. These are at least two misconfiguration and one mayor architecture issue (central storage).

[–] troed@fedia.io 2 points 5 days ago (1 children)

I think your view on what happened is based on media headlines rather than the actual technical facts.

https://soundofdevelopment.substack.com/p/volkswagen-data-leak-location-tracking

[–] Saleh@feddit.org 8 points 5 days ago (1 children)

Since Spring Boot version 1.5 is over 7 years old, that's unlikely to be the cause. Instead, someone must have explicitly enabled the heap dump endpoint in production without authentication.

That is the major configuration problem that got the data accesible

Let's recap. We now have user profiles showing which cars people drive and tracking data that sometimes spans years. While this data collection is covered in the terms and conditions for product improvement analysis, Volkswagen says they track this data to understand battery lifecycles better. Still, the need for location data remains unclear. The terms and conditions state that GPS data is truncated, which would significantly reduce tracking capabilities if accuracy drops to around 10 kilometers. Audi and Škoda implemented this correctly—cars from their fleet had location data truncated to approximately 10-kilometer accuracy. However, the problem arose with VW and Seat vehicles, where location data remained precise down to 10 centimeters.

That is the first configuration problem, to collect this data in the first place and then to collect it down to this level of precision.

This remains with the major architectural problem.

They could access complete user profiles and location data by combining this data. The breach revealed:

Enrollment data for both electric and non-electric vehicles, including details like VIN, model, year, and user ID

User data, including name, email, phone, and in some cases, physical addresses and preferred dealerships

EV data: Mileage, battery temperature, battery status, charging status, and even warning light data

Tracking data only for electric cars: GPS coordinates of the vehicles’ locations recorded every time the engine was turned off

All this data is stored in one place. Leaving aside the discussion of whether this data should be collected in the first place, there would be a strong reason to separate the data supposedly collected for technical analysis from the data that identifies who owns the car. Of course in the case of location data down to 10cm accuracy that is a bit moot as you can get the home address easily from the location data.

Please let me know if there was something i missed regarding my assessment of two configuration problems and one architectural problem.

[–] troed@fedia.io -1 points 5 days ago

Yeah, you missed how this is absolutely nothing like "we wank to you in-car videofeed"-Tesla and "we spy for the Chinese government"-BYD

A security hole exposing data that the users have agreed to share is nothing like companies willfully breaking user integrity.

You know this of course, you just don't like being corrected.