A long-standing security vulnerability in EVA, the sales support software used by Volkswagen (VW) and Audi dealerships, has potentially exposed customer data in Germany for up to twenty years.
The issue was first discovered in November 2023 by a reader of Günter Born's blog, who noticed the security problem and contacted the editor for further investigation.
EVA, which stands for “Elektronischer Verkäuferarbeitsplatz” (Electronic Sales Workstation), is a Windows application running locally on dealership computers. It interfaces with an Oracle database, which also operates locally. Critically, the access password for this database was hardcoded into the software, using a commonly known football term, making it vulnerable to unauthorized access.
After being alerted by his reader, Born acted as an intermediary and reported the issue to VW's cybersecurity team in January 2024. Despite initial uncertainties about who was responsible for maintaining the software, the cybersecurity team at Volkswagen Financial Services AG quickly acknowledged the problem. They confirmed that the issue had already been identified during a recent audit and promised swift action to correct it.
VW committed to updating the EVA software to remove hardcoded passwords and to encrypt all user passwords previously stored in plaintext in the “Advisor” database table. By early March 2024, changes were underway, and by mid-April, the software updates were completed across all affected dealerships. Additionally, all dealership users were required to change their login passwords, and the admin users SYS and SYSTEM were instructed to update their passwords independently.
Following the update, the EVA system was tested and confirmed to function correctly with the new security measures in place. Volkswagen communicated that passwords for EVA database users, including EVA, EVA_USER, and EVAST, would be regularly updated going forward to enhance security.
Impact on VW and Audi customers
The exact number of users affected due to using a hardcoded database password in the EVA software hasn’t been specified. However, the software was widely used across VW and Audi dealerships in Germany and was integral in managing customer data, suggesting that a significant volume of sensitive information could have been at risk.
The type of data typically managed by dealership software systems like EVA would include personal details of customers such as names, addresses, contact information, and potentially financial details related to car purchases and services.
Considering that the flaw was present in the EVA software for over two decades, according to Born, it is not unlikely that unauthorized actors gained access to the clients' personal data, although a data breach hasn’t been confirmed yet.
Microsoft: “Activator” Malware Poses Serious Threat to macOS Users
Leave a Reply