Recently, BMW, a world-renowned automaker, has been caught in a cloud storage security crisis. Researcher Can Yoleri reported that during a routine scan, he accidentally discovered that BMW's cloud storage servers, also known as "buckets," were misconfigured and set to a public access state instead of the expected private state. This serious configuration error exposed BMW's private keys, internal data, and other sensitive information to the public.
In the detailed report, Yoleri pointed out that the misconfigured bucket contained a large amount of sensitive information, including access information to Azure containers, keys to access private storage server addresses, and other details related to BMW cloud services. The leakage of this information undoubtedly provides a shortcut for potential attackers to compromise BMW's cloud services.
According to TechCrunch, the exposed data includes BMW's private keys to cloud services in China, Europe, and the United States, as well as login credentials for production and development databases. Although it is not clear exactly how much data was exposed, this incident undoubtedly poses a serious threat to BMW's information security.
BMW responded to the matter, confirming that the data breach did indeed affect Microsoft Azure Buckets, which are based on storage development environments. A BMW spokesperson said that the incident did not involve customer or individual data, and that the company has fixed the issue in early 2024 and will continue to monitor the situation with partners to prevent a recurrence of similar incidents.
However, although BMW says it has fixed the issue, researcher Yoleri notes that BMW has yet to revoke or change the set of passwords and credentials found in the exposed cloud storage servers. This situation raises deep questions about BMW's information security measures.
It's worth noting that this isn't the only data security incident that has been a recent data security incident for an automotive giant. Previously, Mercedes-Benz, another well-known automaker, also exposed similar safety issues. Security lab RedHunt reportedly discovered the GitHub private key from a Mercedes-Benz employee's repository, which gave access to all of Mercedes-Benz's internal GitHub servers.
Both incidents highlight the information security challenges faced by the automotive industry in its digital transformation journey. With the continuous development of the automotive industry and the wide application of cloud services, big data, artificial intelligence and other technologies, the information security pressure of automobile manufacturers is increasing. How to ensure information security while ensuring business development has become an urgent problem to be solved in the automotive industry.
In response to this problem, industry experts suggest that automakers should strengthen the daily management of information security, improve the information security awareness of employees, conduct regular security vulnerability scans and risk assessments, and find and repair potential security problems in a timely manner. At the same time, cloud service providers should also strengthen their own security management and protection measures to ensure the security of customers' data.
Overall, these two incidents are a wake-up call for the entire automotive industry. While pursuing digital transformation, automakers must place a high priority on information security to ensure the security and privacy of user data. Only in this way can we be invincible in the fierce market competition.
List of high-quality authors