BMW exposes data of clients in Italy, experts warn

Cybernews
researchers
discovered
that
BMW
exposed
sensitive
files
that
were
generated
by
a
framework
that
BMW
Italy
relies
on.

Original
post
at:


https://cybernews.com/security/bmw-exposes-italy-clients/

Hackers
have
been
enjoying
their
fair
share
of
the
spotlight
by
breaching
car
manufacturers’
defenses.
The
latest
Cybernews
discovery
showcases
that
popular
car
brands
sometimes
leave
their
doors
open,
as
if
inviting
threat
actors
to
feast
on
their
client
data.

• BMW
  exposed
  sensitive
  files
  to
  the
  public
• Attackers
  could
  exploit
  the
  data
  to
  steal
  the
  website’s
  source
  code
  and
  potentially
  access
  customer
  info
• BMW
  secured
  the
  data
  that
  wasn’t
  meant
  to
  be
  public
  in
  the
  first
  place
• BMW
  clients
  should
  remain
  vigilant,
  as
  home
  addresses,
  vehicle
  location
  data,
  and
  many
  other
  kinds
  of
  sensitive
  personal
  information
  are
  collected
  by
  the
  manufacturer

BMW,
a
German
multinational
manufacturer
of
luxury
vehicles
delivering
around
2.5
million
vehicles
a
year,
potentially
exposed
its
business
secrets
and
client
data.

If
a
malicious
hacker
were
to
discover
the
flaw,
they
could
exploit
it
to
access
customer
data,
steal
the
company’s
source
code,
and
look
for
other
vulnerabilities
to
exploit.

The
discovery

In
February,
Cybernews
researchers
stumbled
upon
an
unprotected
environment
(.env)
and
.git
configuration
files
hosted
on
the
official
BMW
Italy
website.
Environment
files
(.env),
meant
to
be
stored
locally,
included
data
on
production
and
development
environments.

Researchers
noted
that
while
this
information
is
not
enough
for
threat
actors
to
compromise
the
website,
they
could
be
used
for
reconnaissance
–
covertly
discovering
and
collecting
information
about
a
system.
Data
could
lead
to
the
website
being
compromised
or
point
attackers
towards
customer
information
storage
and
the
means
to
access
it.

The
.git
configuration
file,
exposed
to
the
public,
would
have
allowed
threat
actors
to
find
other
exploitable
vulnerabilities,
since
it
contained
the
.git
repository
for
the
site’s
source
code.

“The
discovery
illustrates
that
even
well-known
and
trusted
brands
can
have
severely
insecure
configurations,
allowing
attackers
to
breach
their
systems
in
order
to
steal
customer
information
or
move
laterally
through
the
network.
Customer
information
from
such
sources
is
especially
valuable
for
cybercriminals,
given
that
customers
of
luxury
car
brands
often
have
more
savings
that
could
potentially
be
stolen,”
the

Cybernews
research
team
said.

Sensitive
files
were
generated
by
a
framework
that
BMW
Italy
relies
on
–
Laravel,
a
free
open-source
PHP
framework
designed
for
the
development
of
web
applications.

In
2017,
a
vulnerability
was
discovered
in
the
aforementioned
framework.
It
scored
7.5
out
of
10
on
the
the
Common
Vulnerability
Scoring
System
(CVSS),
since
attackers
can
obtain
sensitive
information
such
as
externally
usable
passwords
by
exploiting
the
flaw.
The
company
might
have
either
used
a
vulnerable
Laravel
version
or
it
might
have
been
misconfigured
by
mistake
by
someone
using
an
up-to-date
version.

Recommendations
for
BMW

• Reset
  the
  GitLab
  CI
  token
  to
  avoid
  .git
  repository
  cloning
  and
  exploitation
  of
  other
  potential
  vulnerabilities
  within
  the
  website
• Reset
  credentials
  of
  MySQL
  and
  PostgreSQL
  databases,
  change
  ports
  and
  IP
  of
  the
  host
  to
  avoid
  sensitive
  data
  leakage
• Change
  the
  ports
  used
  by
  the
  administrative
  portals
  to
  listen
  to
  incoming
  connections
  to
  avoid
  the
  exposure
  of
  the
  internal
  tools
  and
  a
  potential
  tip-off
  of
  hackers
  on
  what
  attacks
  to
  launch

What
BMW
knows
about
you

• As
  per
  BMW
  Italy’s
  website,
  they
  collect
  a
  treasure
  trove
  of
  user
  information,
  including
  full
  names,
  addresses,
  phone
  numbers,
  and
  email
  addresses
• BMW
  also
  knows
  what
  vehicle
  you
  own,
  has
  contract
  details,
  and
  your
  online
  account’s
  data
  that
  could
  be
  used
  for
  phishing
  and/or
  credential-stuffing
  attacks
• BMW
  knows
  technical
  information
  about
  your
  vehicle,and
  the
  location
  of
  your
  phone
  if
  it
  has
  BMW
  or
  Mini
  connected
  apps
  installed.
  This
  information
  could
  even
  lead
  to
  the
  theft
  of
  your
  vehicle,
  since
  the
  attacker
  could
  figure
  out
  if
  you
  are
  inside
  your
  car
  or
  far
  away
  from
  it
• Since
  the
  data
  was
  secured
  by
  the
  manufacturer,
  there’s
  no
  need
  to
  worry.
  However,
  we
  recommend
  you
  stay
  vigilant
  at
  all
  times,
  cautiously
  reviewing
  any
  suspicious
  emails
  and
  monitoring
  your
  banking
  information

If
you
want
to
know
more
about

car
hacking
and
which
are
the
mistakes
made
by
car
makers
give
a
look
at
the
original
post
at

https://cybernews.com/security/bmw-exposes-italy-clients/

About
the
author:

Jurgita
Lapienytė,
Chief
Editor
at
CyberNews

Follow
me
on
Twitter:


@securityaffairs
and


Facebook
and


Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,

BMW

Italia)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts