Nearly 20 car companies have API security vulnerabilities, and hackers can remotely unlock, start the vehicle, track the whereabouts of the car, and steal the personal information of the car owner.
Recently, according to an overseas **techcrunch report, a misconfiguration incident occurred in the cloud storage server of the automobile giant BMW, resulting in the exposure of sensitive information such as private keys and internal data.
After the news was disclosed, a BMW spokesperson confirmed that the data breach affected Microsoft Azure Bucket, a storage-based development environment, and said that no customer or personal data was affected as a result. The spokesperson added: "The BMW Group has fixed this issue in early 2024 and we will continue to monitor the situation with our partners." ”
Researcher Can Yoleri reported that during a routine scan, he accidentally discovered that BMW's cloud storage servers, also known as "buckets," were misconfigured and set to a public access state instead of the expected private state. This serious configuration error exposed BMW's private keys, internal data, and other sensitive information to the public. In the detailed report, Yoleri pointed out that the misconfigured bucket contained a large amount of sensitive information, including access information to Azure containers, keys to access private storage server addresses, and other details related to BMW cloud services. The leakage of this information undoubtedly provides a shortcut for potential attackers to compromise BMW's cloud services.
The exposed data includes BMW's cloud service private keys in China, Europe and the United States, as well as login credentials for BMW's production and development databases, although it is unclear exactly how much data was exposed.
Not only BMW, Mercedes-Benz also had similar safety accidents. According to reports, Mercedes-Benz has recently had a similar data security incident: the security lab Redhunt found the github private key from the ** warehouse of a Mercedes-Benz employee, and this private key can access all ** on the Mercedes-Benz internal github server.
Tram Circle Observation:
Data attackers can exploit data vulnerabilities to access, modify, and delete car owners' accounts, manage their vehicles, and even directly set themselves as car owners. It's crazy indeed!
At present, in addition to BMW and Mercedes-Benz, security vulnerabilities are also affecting the user data security of world-renowned car brands such as Ferrari, Porsche, Jaguar, Land Rover, Ford, Kia, Honda, Infiniti, Nissan, Acura, Hyundai, and Toyota.
Here we would also like to remind you that when buying a used car, you must make sure that the previous owner's account has been completely deleted. If available, try to use strong passwords and set up two-factor authentication for your vehicle's apps and services.