Overview

• Security researcher Vishal Baskar discovered the flaw in Volkswagen's smartphone app in November 2024, which allowed access to vehicles and personal data using the Vehicle Identification Number (VIN).
• The vulnerability stemmed from an unprotected OTP system, enabling brute-force attacks to guess four-digit codes without restrictions or timeouts.
• Exploiting the flaw could expose sensitive user data, including home addresses, phone numbers, email addresses, and vehicle telematic information such as engine status and fuel levels.
• Volkswagen deployed fixes by May 2025, updating backend systems and patching the server-side flaw, but older app versions remain theoretically exploitable.
• The incident highlights broader security challenges in connected-car platforms, as public VINs and weak API controls create significant risks for user privacy and safety.