BMW reveals customers in Italy

BMW reveals customers in Italy

Hackers have enjoyed their share of the spotlight by breaching automakers’ defenses. The latest Cybernews finding shows that popular car brands sometimes leave their doors open, as if inviting threat actors to feast on their customer data.

  • BMW disclosed sensitive files to the public

  • Attackers can exploit the data to steal the website’s source code and potentially gain access to customer information

  • BMW secured the data that was not meant to be public in the first place

  • BMW customers should be vigilant, as home addresses, vehicle location data and many other types of sensitive personal information are collected by the manufacturer

BMW, a German multinational manufacturer of luxury cars that delivers around 2.5 million cars a year, potentially exposed its trade secrets and customer data.

If a malicious hacker were to discover the flaw, they could exploit it to gain access to customer data, steal the company’s source code, and look for other vulnerabilities to exploit.

The discovery

In February, Cybernews researchers stumbled upon an unprotected environment (.env) and .git configuration files located on the official website of BMW Italia. Environment files (.env), intended to be stored locally, included data about production and development environments.

Researchers noted that while this information is not enough for threat actors to compromise the site, it can be used for reconnaissance – the covert discovery and gathering of information about a system. Data can cause the website to be compromised or point attackers to the storage of customer information and the means to access it.

The .git configuration file, exposed to the public, would have allowed threat actors to find other exploitable vulnerabilities, since it contained the .git repository for the site’s source code.

“The discovery illustrates that even well-known and trusted brands can have highly insecure configurations, allowing attackers to breach their systems to steal customer information or move laterally through the network. Customer information from such sources is particularly valuable to cybercriminals, given that customers of luxury car brands often have more savings that could potentially be stolen, the Cybernews research team said.

Sensitive files were generated by a framework that BMW Italia relies on – Laravel, a free and open source PHP framework designed for web application development.

In 2017, a vulnerability was discovered in the aforementioned framework. It scored 7.5 out of 10 on the Common Vulnerability Scoring System (CVSS), as attackers can obtain sensitive information such as externally usable passwords by exploiting the flaw. The company may have either used a vulnerable Laravel version, or it may have been mistakenly misconfigured by someone using an updated version.

Recommendations for BMW

  • Reset the GitLab CI token to avoid .git repository cloning and exploitation of other potential site vulnerabilities

  • Reset the credentials of MySQL and PostgreSQL databases, change ports and IP addresses of the host to avoid sensitive data leaks

  • Change the ports used by the administrative portals to listen for incoming connections to avoid exposure of the internal tools and potential tips from hackers about which attacks to launch

What BMW knows about you

  • According to BMW Italia’s website, they collect a treasure trove of user information, including full names, addresses, phone numbers and email addresses

  • BMW also knows which vehicle you own, has contract details and the data in your online account that can be used for phishing and/or credential-stuffing attacks

  • BMW knows technical information about your vehicle, and the location of your phone if it has BMW or Mini connected apps installed. This information can even lead to the theft of your vehicle, as the attacker can determine whether you are inside the car or far away from it.

  • Since the data was secured by the manufacturer, there is no need to worry. However, we recommend that you remain vigilant at all times, carefully review any suspicious emails and monitor your bank details.

Car hacking

Various attempts to hack into cars make headlines quite often these days.

Recently, Europol arrested 31 suspects for allegedly using fraudulent software, marketed as a car diagnostic solution to unlock, start and steal vehicles without using the actual key.

In a strange case in France, criminals used a modified JBL Bluetooth speaker to hack into cars in less than a minute.

White-hat hackers demonstrated how to unlock Tesla by exploiting a Bluetooth vulnerability.

Recently, Hyundai and KIA released software updates for millions of car owners in an effort to combat a viral TikTok challenge, after teenage thieves began posting instructional videos showing viewers how to bypass the security system and connect their cars with just a screwdriver and a USB cable. .

These are just a few amazing examples of how your new car is a smart device that can therefore be hacked. It also means that car manufacturers and their partners have a greater responsibility than ever to secure vehicles.

Still, cases where car brands fail to do so continue to pile up.

In January, security researchers in good faith discovered serious vulnerabilities in well-known car companies that could potentially allow a threat actor to send and receive text messages, retrieve direct geolocation, and disable hundreds of millions of SIM cards installed in Tesla, Subaru, Toyota, and Mazda vehicles, among others others.

We also hear about hackers breaching car companies more often than we’d like, with the Ferrari ransomware and Volvo breach being among the most notable.

Playing with fire

Companies leave an exposed .git folder more often than you think. Another recent Cybernews investigation discovered more than 1.9 million IP addresses exposing their .git folders to the public.

Since .git folders contain important information about projects, leaving them exposed can lead to breakage and system exposure.

“Having public access to the .git folder could lead to exposure of the source code. Tools required to get parts or full source code from the .git folder are free and well-known, which can lead to many more internal leaks or easier access to the system for a malicious actor, says Martynas Vareikis, a researcher at Cybernews.

A .git folder contains important information about projects, such as addresses of external repositories, commit history logs, and other important metadata. Leaving this data openly accessible can lead to breaches and system exposure.

More from Cybernews:

Your new smart car is a hackable IoT device

Keyless car hackers arrested for grand theft auto

JBL Bluetooth speakers give car thieves va-va-voom

Hyundai app bug allows anyone to unlock car remotely

Researchers discover critical vulnerabilities in Ferrari, BMW, Toyota and other automotive giants

Ferrari hit by ransomware, hackers leak 7GB of data

How secure is your car against hackers?

subscribe to our newsletter

See also  Two malware variants linked to China are infecting Uyghur apps, according to cybersecurity research

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *