π Diagram: Volkswagen-Cariad Automotive System β
π Link to Original Paper/Article β
π Short Description β
This diagram illustrates the issues associated with the Volkswagen (and Cariad) scandal and data leakage affecting their automobile fleet. It shows how information flows between the mobile app, internal servers (and storage), and the in-vehicle system. The first (leftmost) section of the diagram presents a simplified data flow from the mobile app, including functionalities such as login, retrieving the car's location, locking the car, and more. This part connects to Cariadβs main Spring application, which is primarily responsible for storing all vehicle-related data. Finally, on the right side of the diagram, we see the in-car system, composed of sensors, actuators, controllers, control modules, and communication components.
This DFD represents what we think the architecture of the system should look like, as this is private company information we have inferred the different sections of the diagram from information mentioned on the main source article, the Spring documentation and other resources regarding the inner functioning of car systems.
π€ Abbreviations β
- ECU: Electronic Control Unit
π Extensive Description (if possible) β
Starting from the left side of the diagram there is the authentication process for a Customer which want to be identified in the VWs Mobile App for accessing different functionalities of its car remotely. This can be seen through the Mobile App UI nod and the corresponding function nodes such as Start AC, Get Car Location, etc.
From those functionalities, the given commands to be executed on the car flow in to the Spring App through the Spring Security node which verifies the secureness of those commands, and in case there is something wrong (e.g. wrong credentials) it send a security_event to the Spring Actuator node. This central part of the diagram shows the main functionality of the VW-Cariads system. For our case study regarding the scandal the most important nodes are Spring Web Controller, Spring Actuator, and Spring App Memory. The first one manages the request (e.g. from the mobile app) and forwards them to the Spring Actuator. This second one then forwards the requests to the defined endpoints (e.g. Aditevent Repository, Http Trace Endpoint, etc). The last one (Spring App Memory) loads the memory of the spring app into the endpoint Heapdump (which was the central point of the scandal as it had public access).
Finally the left-most part shows the inner components of the car such as the High Perfomance Computer which receives the commands from the app and forwards them to the Vehicle Communication Bus and finally to their respective components (e.g. Navigation ECU, Body Control Module, etc). The High Performance Computer also manages the retrieving and storing of data from the car sensors and sends them to the Spring App through the Azure event Grid.
π·οΈ Label description β
ποΈ Data Labels: β
DataEncryption: β
- NonEncrypted: Non-encrypted data
- Encrypted: Encrypted data
DataSensitivity: β
- Personal: Data that is personal
- Anonymized: Data that is anonymized
- NonAnonymized: Data that is not anonymized
- Confidential: Data that is confidential
UserClearance: β
- Authenticated: User has been correctly authenticated
- NonAuthenticated: User has not been correctly authenticated
DataBaseToken: β
- AzureToken: Token to access Azure DB
- AWSToken: Token to access AWS DB (S3 bucket)
SecurityEvent: β
- SecurityEvent: Security Event information generated by the Flask app
RequestSensitivity: β
- Confidential: The request is confidential (or for confidential information)
- Public: The request is public
Credentials: β
- Valid: Credentials are valid (after being checked)
- NonValid: Credentials are not valid
π·οΈ Node Labels: β
EndpointConfiguration: β
- Private: Endpoint is private and can only be accessed by certain members of the company
- Public: Endpoint is public and can be accessed by anyone
- SpringMemory: The endpoint is the Spring App Memory
DataBaseType: β
- AzureDataLake: DB is from Azure
- AWSBucket: DB is from AWS
CarControlUnits: β
- ECU: Electronic Control Unit of the car for a given component of the car
β οΈ Constraints β
Data which is classified as condifential can neverflow to an endpoint which is public:
- confidential_data:
data DataSensitivity.Confidential neverFlows vertex EndpointConfiguration.Public
- confidential_data:
Data which is not anonymized, and thus contains sensitive information about customers and their routes with their cars, should never flow to either data base types
- anonymized_db:
data DataSensitivity.NonAnonymized neverFlows vertex DataBaseType.AWSBucket,DataBaseType.AzureDataLake
- anonymized_db:
Requests which are confidential can never flow to endpoints that are public
- confidential_request:
data RequestSensitivity.Confidential neverFlows vertex EndpointConfiguration.Public
- confidential_request:
DB credentials should neverflow to an endpoint which is public:
- credentials_public:
data DataBaseToken.AWSToken,DataBaseToken.AzureToken neverFlows vertex EndpointConfiguration.Public
- credentials_public:
Data which is not encrypted should never flow to either database types:
- encrypted_data:
data DataEncryption.NonEncrypted neverFlows vertex DataBaseType.AWSBucket,DataBaseType.AzureDataLake
- encrypted_data:
A user whose authentication has not been cleared should never flow to a Car Control Unit:
- authenticated_command:
data UserClearance.NonAuthenticated neverFlows vertex CarControlUnits.ECU
- authenticated_command:
π¨ Violations β
The following violations relate to the issues revealed in the scandal referenced in the previous article (among others). These have been added to the diagram to highlight what went wrong.
The following violated constraints show that not only was the heapdump endpoint relatively easy to access, but it also exposed confidential and highly sensitive information (e.g., tokens for accessing databases):
- confidential_data
- confidential_request
- credentials_public
The next set of violations corresponds to another issue in the scandal: the presence of non-anonymized and unencrypted data in the AWS bucket:
- anonymized_db
- encrypted_data