Sign up to save your podcasts
Or
Share Hacking Volkswagen's Mobile App | A Car Security Breach
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Hacking Volkswagen's Mobile App | A Car Security Breach
Hacking Your Ride: Unpacking Volkswagen's App Flaws & Fortifying Mobility Security
In this episode of Upwardly Mobile, we delve into the alarming discovery of significant security flaws in the My Volkswagen mobile app and explore how robust mobile app protection is crucial for the evolving mobility sector. Join us as we dissect the vulnerabilities found and discuss solutions to safeguard connected vehicles and sensitive user data.
What We Discussed:
• The Volkswagen App Hack Explained: We explore how a security researcher, frustrated by not receiving an OTP for a pre-owned car's My Volkswagen app, discovered critical vulnerabilities12. By brute-forcing a four-digit OTP (One-Time Password), the researcher gained access to the app, which then revealed deeper security issues34.
•
Serious Vulnerabilities Uncovered:
◦ Internal Credentials Leaked: An API endpoint exposed passwords, tokens, and usernames for various internal services, including payment processing details and CRM tools like Salesforce, in cleartext45.
◦ Owner's Personal Details Exposed via VIN: Simply using a car's VIN (Vehicle Identification Number), an API endpoint revealed extensive customer information from service and maintenance packages. This included names, phone numbers, postal addresses, email addresses, car details (model, colour, registration number, chassis number, engine number), active service contracts, purchase dates, and payment amounts56.
◦
Vehicle Service History Accessible via VIN: The VIN also allowed access to a car's full service history, including details of work performed, customer personal information, and even customer survey results for each workshop visit78.
◦ Additional Data Exposure: Further API endpoints revealed vehicle telematics data, and in some cases, even education qualifications and driving licence numbers, demonstrating a serious scope of customer data exposure9.
• The Alarming Impact of These Flaws: These vulnerabilities meant that anyone with just a car's VIN (which is often visible through the windshield) could access real-time vehicle location, engine health, fuel stats, tyre pressure, geo-fencing controls, and all personal details associated with the owner, including home address, phone number, email, and driving licence1011. This poses severe risks from stalkers, criminals, scammers, and hackers who could exploit this data for nefarious purposes, including selling it on the deep web or potentially accessing car systems in the future10.
• Volkswagen's Response: The vulnerability was reported to Volkswagen's security team on 23 November 2024, leading to a responsive dialogue and eventual patching of the vulnerabilities by 6 May 2025.
• Protecting Mobility Apps with Approov: The incident highlights the critical need for robust mobile app security in the rapidly growing pay-per-use mobility market14. Approov provides solutions that authenticate mobile apps and secure APIs, without impacting customer experience14.
• How Approov Secures Mobility Services:
◦ Blocks Data Scraping: Ensures data is accessible only by legitimate mobile apps, blocking tampered apps and scraper bots15.
◦ Prevents Unauthorized Aggregation: Helps retain control of the customer journey by forcing all-in-one services to refer customers to the official app15.
◦ Stops Digital Key Extraction: Blocks malicious attempts to intercept key authorisation during vehicle unlock and start processes, even allowing access without internet connectivity for authentic apps16.
◦ Mitigates Denial or Delay of Service Attacks: Authenticates apps to ensure legitimate API requests come only from the mobile app, dropping malicious traffic before it reaches backend services17.
◦ Secures API Endpoints: Blocks API probing and improper usage by securing communications and locking down mobility APIs to authorized apps only.
• BMW Group's Adoption of Approov: We discuss how the BMW Group has successfully integrated Approov into their car sharing platform to balance top-class security with excellent customer experience. This software-only solution provides a patented 'DNA test' to attest that API requests are coming from a genuine mobile app instance running in a safe environment, and has even been enhanced to work over Bluetooth for intermittent internet connectivity. Approov's SDK is already deployed in several thousand BMW Group vehicles.
Why This Matters: As the transportation market transforms with shared-use models and connected vehicles, API security becomes even more critical to protect both customer data and vehicle systems.
Relevant Links:
• Read the full write-up on the Volkswagen security flaws: [Excerpts from "Hacking My Car, and probably yours— Security Flaws in Volkswagen’s App | by LoopSec | May, 2025 | InfoSec Write-ups"]
• Learn more about mobile app protection for mobility apps: [Excerpts from "Mobile App Protection for Mobility Apps | Approov"]
• Explore the BMW Group's case study with Approov: [Excerpts from "https://approov.io/download/Approov-BMW-Story.pdf"]
• Sponsor: Protect your mobile apps and APIs. Visit approov.io for more information and to request a demo or free trial!
Keywords: mobile app security, car hacking, Volkswagen app, vehicle security, API security, cybersecurity, data privacy, mobility apps, car sharing, Approov, ethical hacking, digital key, automotive security, VIN number, information security, data breaches, connected cars, IoT security.
In this episode of Upwardly Mobile, we delve into the alarming discovery of significant security flaws in the My Volkswagen mobile app and explore how robust mobile app protection is crucial for the evolving mobility sector. Join us as we dissect the vulnerabilities found and discuss solutions to safeguard connected vehicles and sensitive user data.
What We Discussed:
• The Volkswagen App Hack Explained: We explore how a security researcher, frustrated by not receiving an OTP for a pre-owned car's My Volkswagen app, discovered critical vulnerabilities12. By brute-forcing a four-digit OTP (One-Time Password), the researcher gained access to the app, which then revealed deeper security issues34.
•
Serious Vulnerabilities Uncovered:
◦ Internal Credentials Leaked: An API endpoint exposed passwords, tokens, and usernames for various internal services, including payment processing details and CRM tools like Salesforce, in cleartext45.
◦ Owner's Personal Details Exposed via VIN: Simply using a car's VIN (Vehicle Identification Number), an API endpoint revealed extensive customer information from service and maintenance packages. This included names, phone numbers, postal addresses, email addresses, car details (model, colour, registration number, chassis number, engine number), active service contracts, purchase dates, and payment amounts56.
◦
Vehicle Service History Accessible via VIN: The VIN also allowed access to a car's full service history, including details of work performed, customer personal information, and even customer survey results for each workshop visit78.
◦ Additional Data Exposure: Further API endpoints revealed vehicle telematics data, and in some cases, even education qualifications and driving licence numbers, demonstrating a serious scope of customer data exposure9.
• The Alarming Impact of These Flaws: These vulnerabilities meant that anyone with just a car's VIN (which is often visible through the windshield) could access real-time vehicle location, engine health, fuel stats, tyre pressure, geo-fencing controls, and all personal details associated with the owner, including home address, phone number, email, and driving licence1011. This poses severe risks from stalkers, criminals, scammers, and hackers who could exploit this data for nefarious purposes, including selling it on the deep web or potentially accessing car systems in the future10.
• Volkswagen's Response: The vulnerability was reported to Volkswagen's security team on 23 November 2024, leading to a responsive dialogue and eventual patching of the vulnerabilities by 6 May 2025.
• Protecting Mobility Apps with Approov: The incident highlights the critical need for robust mobile app security in the rapidly growing pay-per-use mobility market14. Approov provides solutions that authenticate mobile apps and secure APIs, without impacting customer experience14.
• How Approov Secures Mobility Services:
◦ Blocks Data Scraping: Ensures data is accessible only by legitimate mobile apps, blocking tampered apps and scraper bots15.
◦ Prevents Unauthorized Aggregation: Helps retain control of the customer journey by forcing all-in-one services to refer customers to the official app15.
◦ Stops Digital Key Extraction: Blocks malicious attempts to intercept key authorisation during vehicle unlock and start processes, even allowing access without internet connectivity for authentic apps16.
◦ Mitigates Denial or Delay of Service Attacks: Authenticates apps to ensure legitimate API requests come only from the mobile app, dropping malicious traffic before it reaches backend services17.
◦ Secures API Endpoints: Blocks API probing and improper usage by securing communications and locking down mobility APIs to authorized apps only.
• BMW Group's Adoption of Approov: We discuss how the BMW Group has successfully integrated Approov into their car sharing platform to balance top-class security with excellent customer experience. This software-only solution provides a patented 'DNA test' to attest that API requests are coming from a genuine mobile app instance running in a safe environment, and has even been enhanced to work over Bluetooth for intermittent internet connectivity. Approov's SDK is already deployed in several thousand BMW Group vehicles.
Why This Matters: As the transportation market transforms with shared-use models and connected vehicles, API security becomes even more critical to protect both customer data and vehicle systems.
Relevant Links:
• Read the full write-up on the Volkswagen security flaws: [Excerpts from "Hacking My Car, and probably yours— Security Flaws in Volkswagen’s App | by LoopSec | May, 2025 | InfoSec Write-ups"]
• Learn more about mobile app protection for mobility apps: [Excerpts from "Mobile App Protection for Mobility Apps | Approov"]
• Explore the BMW Group's case study with Approov: [Excerpts from "https://approov.io/download/Approov-BMW-Story.pdf"]
• Sponsor: Protect your mobile apps and APIs. Visit approov.io for more information and to request a demo or free trial!
Keywords: mobile app security, car hacking, Volkswagen app, vehicle security, API security, cybersecurity, data privacy, mobility apps, car sharing, Approov, ethical hacking, digital key, automotive security, VIN number, information security, data breaches, connected cars, IoT security.
View all episodes
By Approov LimitedHacking Your Ride: Unpacking Volkswagen's App Flaws & Fortifying Mobility Security
In this episode of Upwardly Mobile, we delve into the alarming discovery of significant security flaws in the My Volkswagen mobile app and explore how robust mobile app protection is crucial for the evolving mobility sector. Join us as we dissect the vulnerabilities found and discuss solutions to safeguard connected vehicles and sensitive user data.
What We Discussed:
• The Volkswagen App Hack Explained: We explore how a security researcher, frustrated by not receiving an OTP for a pre-owned car's My Volkswagen app, discovered critical vulnerabilities12. By brute-forcing a four-digit OTP (One-Time Password), the researcher gained access to the app, which then revealed deeper security issues34.
•
Serious Vulnerabilities Uncovered:
◦ Internal Credentials Leaked: An API endpoint exposed passwords, tokens, and usernames for various internal services, including payment processing details and CRM tools like Salesforce, in cleartext45.
◦ Owner's Personal Details Exposed via VIN: Simply using a car's VIN (Vehicle Identification Number), an API endpoint revealed extensive customer information from service and maintenance packages. This included names, phone numbers, postal addresses, email addresses, car details (model, colour, registration number, chassis number, engine number), active service contracts, purchase dates, and payment amounts56.
◦
Vehicle Service History Accessible via VIN: The VIN also allowed access to a car's full service history, including details of work performed, customer personal information, and even customer survey results for each workshop visit78.
◦ Additional Data Exposure: Further API endpoints revealed vehicle telematics data, and in some cases, even education qualifications and driving licence numbers, demonstrating a serious scope of customer data exposure9.
• The Alarming Impact of These Flaws: These vulnerabilities meant that anyone with just a car's VIN (which is often visible through the windshield) could access real-time vehicle location, engine health, fuel stats, tyre pressure, geo-fencing controls, and all personal details associated with the owner, including home address, phone number, email, and driving licence1011. This poses severe risks from stalkers, criminals, scammers, and hackers who could exploit this data for nefarious purposes, including selling it on the deep web or potentially accessing car systems in the future10.
• Volkswagen's Response: The vulnerability was reported to Volkswagen's security team on 23 November 2024, leading to a responsive dialogue and eventual patching of the vulnerabilities by 6 May 2025.
• Protecting Mobility Apps with Approov: The incident highlights the critical need for robust mobile app security in the rapidly growing pay-per-use mobility market14. Approov provides solutions that authenticate mobile apps and secure APIs, without impacting customer experience14.
• How Approov Secures Mobility Services:
◦ Blocks Data Scraping: Ensures data is accessible only by legitimate mobile apps, blocking tampered apps and scraper bots15.
◦ Prevents Unauthorized Aggregation: Helps retain control of the customer journey by forcing all-in-one services to refer customers to the official app15.
◦ Stops Digital Key Extraction: Blocks malicious attempts to intercept key authorisation during vehicle unlock and start processes, even allowing access without internet connectivity for authentic apps16.
◦ Mitigates Denial or Delay of Service Attacks: Authenticates apps to ensure legitimate API requests come only from the mobile app, dropping malicious traffic before it reaches backend services17.
◦ Secures API Endpoints: Blocks API probing and improper usage by securing communications and locking down mobility APIs to authorized apps only.
• BMW Group's Adoption of Approov: We discuss how the BMW Group has successfully integrated Approov into their car sharing platform to balance top-class security with excellent customer experience. This software-only solution provides a patented 'DNA test' to attest that API requests are coming from a genuine mobile app instance running in a safe environment, and has even been enhanced to work over Bluetooth for intermittent internet connectivity. Approov's SDK is already deployed in several thousand BMW Group vehicles.
Why This Matters: As the transportation market transforms with shared-use models and connected vehicles, API security becomes even more critical to protect both customer data and vehicle systems.
Relevant Links:
• Read the full write-up on the Volkswagen security flaws: [Excerpts from "Hacking My Car, and probably yours— Security Flaws in Volkswagen’s App | by LoopSec | May, 2025 | InfoSec Write-ups"]
• Learn more about mobile app protection for mobility apps: [Excerpts from "Mobile App Protection for Mobility Apps | Approov"]
• Explore the BMW Group's case study with Approov: [Excerpts from "https://approov.io/download/Approov-BMW-Story.pdf"]
• Sponsor: Protect your mobile apps and APIs. Visit approov.io for more information and to request a demo or free trial!
Keywords: mobile app security, car hacking, Volkswagen app, vehicle security, API security, cybersecurity, data privacy, mobility apps, car sharing, Approov, ethical hacking, digital key, automotive security, VIN number, information security, data breaches, connected cars, IoT security.
In this episode of Upwardly Mobile, we delve into the alarming discovery of significant security flaws in the My Volkswagen mobile app and explore how robust mobile app protection is crucial for the evolving mobility sector. Join us as we dissect the vulnerabilities found and discuss solutions to safeguard connected vehicles and sensitive user data.
What We Discussed:
• The Volkswagen App Hack Explained: We explore how a security researcher, frustrated by not receiving an OTP for a pre-owned car's My Volkswagen app, discovered critical vulnerabilities12. By brute-forcing a four-digit OTP (One-Time Password), the researcher gained access to the app, which then revealed deeper security issues34.
•
Serious Vulnerabilities Uncovered:
◦ Internal Credentials Leaked: An API endpoint exposed passwords, tokens, and usernames for various internal services, including payment processing details and CRM tools like Salesforce, in cleartext45.
◦ Owner's Personal Details Exposed via VIN: Simply using a car's VIN (Vehicle Identification Number), an API endpoint revealed extensive customer information from service and maintenance packages. This included names, phone numbers, postal addresses, email addresses, car details (model, colour, registration number, chassis number, engine number), active service contracts, purchase dates, and payment amounts56.
◦
Vehicle Service History Accessible via VIN: The VIN also allowed access to a car's full service history, including details of work performed, customer personal information, and even customer survey results for each workshop visit78.
◦ Additional Data Exposure: Further API endpoints revealed vehicle telematics data, and in some cases, even education qualifications and driving licence numbers, demonstrating a serious scope of customer data exposure9.
• The Alarming Impact of These Flaws: These vulnerabilities meant that anyone with just a car's VIN (which is often visible through the windshield) could access real-time vehicle location, engine health, fuel stats, tyre pressure, geo-fencing controls, and all personal details associated with the owner, including home address, phone number, email, and driving licence1011. This poses severe risks from stalkers, criminals, scammers, and hackers who could exploit this data for nefarious purposes, including selling it on the deep web or potentially accessing car systems in the future10.
• Volkswagen's Response: The vulnerability was reported to Volkswagen's security team on 23 November 2024, leading to a responsive dialogue and eventual patching of the vulnerabilities by 6 May 2025.
• Protecting Mobility Apps with Approov: The incident highlights the critical need for robust mobile app security in the rapidly growing pay-per-use mobility market14. Approov provides solutions that authenticate mobile apps and secure APIs, without impacting customer experience14.
• How Approov Secures Mobility Services:
◦ Blocks Data Scraping: Ensures data is accessible only by legitimate mobile apps, blocking tampered apps and scraper bots15.
◦ Prevents Unauthorized Aggregation: Helps retain control of the customer journey by forcing all-in-one services to refer customers to the official app15.
◦ Stops Digital Key Extraction: Blocks malicious attempts to intercept key authorisation during vehicle unlock and start processes, even allowing access without internet connectivity for authentic apps16.
◦ Mitigates Denial or Delay of Service Attacks: Authenticates apps to ensure legitimate API requests come only from the mobile app, dropping malicious traffic before it reaches backend services17.
◦ Secures API Endpoints: Blocks API probing and improper usage by securing communications and locking down mobility APIs to authorized apps only.
• BMW Group's Adoption of Approov: We discuss how the BMW Group has successfully integrated Approov into their car sharing platform to balance top-class security with excellent customer experience. This software-only solution provides a patented 'DNA test' to attest that API requests are coming from a genuine mobile app instance running in a safe environment, and has even been enhanced to work over Bluetooth for intermittent internet connectivity. Approov's SDK is already deployed in several thousand BMW Group vehicles.
Why This Matters: As the transportation market transforms with shared-use models and connected vehicles, API security becomes even more critical to protect both customer data and vehicle systems.
Relevant Links:
• Read the full write-up on the Volkswagen security flaws: [Excerpts from "Hacking My Car, and probably yours— Security Flaws in Volkswagen’s App | by LoopSec | May, 2025 | InfoSec Write-ups"]
• Learn more about mobile app protection for mobility apps: [Excerpts from "Mobile App Protection for Mobility Apps | Approov"]
• Explore the BMW Group's case study with Approov: [Excerpts from "https://approov.io/download/Approov-BMW-Story.pdf"]
• Sponsor: Protect your mobile apps and APIs. Visit approov.io for more information and to request a demo or free trial!
Keywords: mobile app security, car hacking, Volkswagen app, vehicle security, API security, cybersecurity, data privacy, mobility apps, car sharing, Approov, ethical hacking, digital key, automotive security, VIN number, information security, data breaches, connected cars, IoT security.