BMW exposes clients in Italy


Hackers have been enjoying their fair share of the spotlight by breaching car manufacturers' defenses. The latest Cybernews discovery showcases that popular car brands sometimes leave their doors open, as if inviting threat actors to feast on their client data.

ADVERTISEMENT
  • BMW exposed sensitive files to the public
  • Attackers could exploit the data to steal the website’s source code and potentially access customer info
  • BMW secured the data that wasn’t meant to be public in the first place
  • BMW clients should remain vigilant, as home addresses, vehicle location data, and many other kinds of sensitive personal information are collected by the manufacturer

BMW, a German multinational manufacturer of luxury vehicles delivering around 2.5 million vehicles a year, potentially exposed its business secrets and client data.

If a malicious hacker were to discover the flaw, they could exploit it to access customer data, steal the company’s source code, and look for other vulnerabilities to exploit.

The discovery

In February, Cybernews researchers stumbled upon an unprotected environment (.env) and .git configuration files hosted on the official BMW Italy website. Environment files (.env), meant to be stored locally, included data on production and development environments.

Researchers noted that while this information is not enough for threat actors to compromise the website, they could be used for reconnaissance – covertly discovering and collecting information about a system. Data could lead to the website being compromised or point attackers towards customer information storage and the means to access it.

The .git configuration file, exposed to the public, would have allowed threat actors to find other exploitable vulnerabilities, since it contained the .git repository for the site’s source code.

ADVERTISEMENT

“The discovery illustrates that even well-known and trusted brands can have severely insecure configurations, allowing attackers to breach their systems in order to steal customer information or move laterally through the network. Customer information from such sources is especially valuable for cybercriminals, given that customers of luxury car brands often have more savings that could potentially be stolen,” the Cybernews research team said.

Sensitive files were generated by a framework that BMW Italy relies on – Laravel, a free open-source PHP framework designed for the development of web applications.

In 2017, a vulnerability was discovered in the aforementioned framework. It scored 7.5 out of 10 on the the Common Vulnerability Scoring System (CVSS), since attackers can obtain sensitive information such as externally usable passwords by exploiting the flaw. The company might have either used a vulnerable Laravel version or it might have been misconfigured by mistake by someone using an up-to-date version.

Recommendations for BMW

  • Reset the GitLab CI token to avoid .git repository cloning and exploitation of other potential vulnerabilities within the website
  • Reset credentials of MySQL and PostgreSQL databases, change ports and IP of the host to avoid sensitive data leakage
  • Change the ports used by the administrative portals to listen to incoming connections to avoid the exposure of the internal tools and a potential tip-off of hackers on what attacks to launch

What BMW knows about you

  • As per BMW Italy’s website, they collect a treasure trove of user information, including full names, addresses, phone numbers, and email addresses
  • BMW also knows what vehicle you own, has contract details, and your online account’s data that could be used for phishing and/or credential-stuffing attacks
  • BMW knows technical information about your vehicle,and the location of your phone if it has BMW or Mini connected apps installed. This information could even lead to the theft of your vehicle, since the attacker could figure out if you are inside your car or far away from it
  • Since the data was secured by the manufacturer, there’s no need to worry. However, we recommend you stay vigilant at all times, cautiously reviewing any suspicious emails and monitoring your banking information

Car hacking

Different attempts to hack into cars make headlines quite often these days.

ADVERTISEMENT

Just recently, Europol arrested 31 suspects for allegedly using fraudulent software, marketed as an automotive diagnostic solution to unlock, start, and steal vehicles without using the actual key.

In a curious case in France, criminals used a modified JBL Bluetooth speaker to hack into cars in less than a minute.

White-hat hackers demonstrated how to unlock Tesla by exploiting a Bluetooth vulnerability.

Recently, Hyundai and KIA released software updates for millions of car owners in an effort to combat a viral TikTok challenge, after teen thieves began posting instructional videos showing viewers how to bypass the security system and hotwire the cars using just a screwdriver and a USB cable.

These are just a few stellar examples of how your new car is a smart device that can therefore be hacked. It also means that car manufacturers and their partners have a bigger responsibility than ever to secure vehicles.

Yet, cases where car brands fail to do so continue to pile up.

In January, good-faith security researchers discovered severe vulnerabilities in well-known automotive companies that could potentially allow a threat actor to send and receive text messages, retrieve live geolocation, and disable hundreds of millions of SIM cards installed in Tesla, Subaru, Toyota, and Mazda vehicles, among others.

We also hear about hackers breaching automotive companies more often than we’d like to, with the Ferrari ransomware and Volvo breach cases being among the more notable.

Playing with fire

Companies leave an exposed .git folder more often than you’d think. Another recent Cybernews investigation discovered more than 1.9 million IP addresses exposing their .git folders to the public.

ADVERTISEMENT

As .git folders contain essential information about projects, leaving them exposed can lead to breaches and system exposure.

“Having public access to the .git folder could lead to the exposure of the source code. Tools required to get parts or full source code from the .git folder are free and well-known, which could lead to many more internal leaks or easier access to the system for a malicious actor,” said Martynas Vareikis, a researcher at Cybernews.

A .git folder contains essential information about projects, such as remote repository addresses, commit history logs, and other essential metadata. Leaving this data openly accessible can lead to breaches and system exposure.