In this episode of Upwardly Mobile, we delve into the alarming discovery of significant security flaws in the My Volkswagen mobile app and explore how robust mobile app protection is crucial for the evolving mobility sector. Join us as we dissect the vulnerabilities found and discuss solutions to safeguard connected vehicles and sensitive user data.
What We Discussed:
• The Volkswagen App Hack Explained: We explore how a security researcher, frustrated by not receiving an OTP for a pre-owned car's My Volkswagen app, discovered critical vulnerabilities12. By brute-forcing a four-digit OTP (One-Time Password), the researcher gained access to the app, which then revealed deeper security issues34.
•
Serious Vulnerabilities Uncovered:
◦ Internal Credentials Leaked: An API endpoint exposed passwords, tokens, and usernames for various internal services, including payment processing details and CRM tools like Salesforce, in cleartext45.
◦ Owner's Personal Details Exposed via VIN: Simply using a car's VIN (Vehicle Identification Number), an API endpoint revealed extensive customer information from service and maintenance packages. This included names, phone numbers, postal addresses, email addresses, car details (model, colour, registration number, chassis number, engine number), active service contracts, purchase dates, and payment amounts56.
◦
Vehicle Service History Accessible via VIN: The VIN also allowed access to a car's full service history, including details of work performed, customer personal information, and even customer survey results for each workshop visit78.
◦ Additional Data Exposure: Further API endpoints revealed vehicle telematics data, and in some cases, even education qualifications and driving licence numbers, demonstrating a serious scope of customer data exposure9.
• The Alarming Impact of These Flaws: These vulnerabilities meant that anyone with just a car's VIN (which is often visible through the windshield) could access real-time vehicle location, engine health, fuel stats, tyre pressure, geo-fencing controls, and all personal details associated with the owner, including home address, phone number, email, and driving licence1011. This poses severe risks from stalkers, criminals, scammers, and hackers who could exploit this data for nefarious purposes, including selling it on the deep web or potentially accessing car systems in the future10.
• Volkswagen's Response: The vulnerability was reported to Volkswagen's security team on 23 November 2024, leading to a responsive dialogue and eventual patching of the vulnerabilities by 6 May 2025.
• Protecting Mobility Apps with Approov: The incident highlights the critical need for robust mobile app security in the rapidly growing pay-per-use mobility market14. Approov provides solutions that authenticate mobile apps and secure APIs, without impacting customer experience14.
• How Approov Secures Mobility Services:
◦ Blocks Data Scraping: Ensures data is accessible only by legitimate mobile apps, blocking tampered apps and scraper bots15.
◦ Prevents Unauthorized Aggregation: Helps retain control of the customer journey by forcing all-in-one services to refer customers to the official app15.
◦ Stops Digital Key Extraction: Blocks malicious attempts to intercept key authorisation during vehicle unlock and start processes, even allowing access without internet connectivity for authentic apps16.
◦ Mitigates Denial or Delay of Service Attacks: Authenticates apps to ensure legitimate API requests come only from the mobile app, dropping malicious traffic before it reaches backend services17.
◦ Secures API Endpoints: Blocks API probing and improper usage by securing communications and locking down mobility APIs to authorized apps only.
• BMW Group's Adopt
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.