ADVERTISEMENT

BMW exposes clients in Italy

The latest Cybernews discovery showcases that popular car brands sometimes leave their doors open, as if inviting threat actors to feast on their client data.

BMW cars

Shutterstock/Cybernews

Jurgita Lapienytė
Jurgita Lapienytė Chief Editor
Mar 9, 2023 Updated: 10 March 2023 4 min read
  • BMW exposed sensitive files to the public
  • Attackers could exploit the data to steal the website’s source code and potentially access customer info
  • BMW secured the data that wasn’t meant to be public in the first place
  • BMW clients should remain vigilant, as home addresses, vehicle location data, and many other kinds of sensitive personal information are collected by the manufacturer

The discovery

Recommendations for BMW

  • Reset the GitLab CI token to avoid .git repository cloning and exploitation of other potential vulnerabilities within the website
  • Reset credentials of MySQL and PostgreSQL databases, change ports and IP of the host to avoid sensitive data leakage
  • Change the ports used by the administrative portals to listen to incoming connections to avoid the exposure of the internal tools and a potential tip-off of hackers on what attacks to launch
ADVERTISEMENT

What BMW knows about you

  • As per BMW Italy’s website, they collect a treasure trove of user information, including full names, addresses, phone numbers, and email addresses
  • BMW also knows what vehicle you own, has contract details, and your online account’s data that could be used for phishing and/or credential-stuffing attacks
  • BMW knows technical information about your vehicle,and the location of your phone if it has BMW or Mini connected apps installed. This information could even lead to the theft of your vehicle, since the attacker could figure out if you are inside your car or far away from it
  • Since the data was secured by the manufacturer, there’s no need to worry. However, we recommend you stay vigilant at all times, cautiously reviewing any suspicious emails and monitoring your banking information

Car hacking

Playing with fire

ADVERTISEMENT