A misconfigured cloud storage server belonging to automotive large BMW uncovered delicate firm data, together with non-public keys and inner knowledge, information.killnetswitch has realized.
Can Yoleri, a security researcher at risk intelligence firm SOCRadar, instructed information.killnetswitch that he found the uncovered BMW cloud storage server whereas routinely scanning the web.
Yoleri stated the uncovered Microsoft Azure-hosted storage server — often known as a “bucket” — in BMW’s improvement atmosphere was “by accident configured to be public as a substitute of personal as a consequence of misconfiguration.”
Yoleri added that the storage bucket contained “script recordsdata that embody Azure container entry data, secret keys for accessing non-public bucket addresses, and particulars about different cloud companies.”
Screenshots shared with information.killnetswitch present that the uncovered knowledge included non-public keys for BMW’s cloud companies in China, Europe, and the US, in addition to login credentials for BMW’s manufacturing and improvement databases.
It’s not recognized precisely how a lot knowledge was uncovered or how lengthy the cloud bucket was uncovered to the web. “Sadly, that is the largest unknown in public bucket issues,” Yoleri instructed information.killnetswitch. “Solely the bucket proprietor can see how lengthy it has truly been open.”
When reached by e-mail, BMW spokesperson Chris General confirmed to information.killnetswitch that the info publicity affected a Microsoft Azure bucket based mostly in a storage improvement atmosphere and stated no buyer or private knowledge was impacted because of this.
The spokesperson added that “the BMW Group was in a position to repair this difficulty at the start of 2024, and we proceed to watch the state of affairs along with our companions.”
BMW wouldn’t say for the way lengthy the storage bucket was uncovered, or say whether or not it had noticed any malicious entry to the uncovered knowledge. Yoleri stated that whereas he doesn’t have any proof of malicious entry, “that doesn’t imply it doesn’t exist.”
“Even when the bucket has been made non-public, it was vital to alter these entry keys. It doesn’t matter if the bucket is non-public anymore,” Yoleri stated. He added that he tried to succeed in out to BMW about this subsequent difficulty however didn’t obtain a response.
Final month, Mercedes-Benz confirmed it by accident uncovered a trove of inner knowledge after leaving a personal key on-line that allowed “unrestricted entry” to its supply code. After information.killnetswitch disclosed the security difficulty to Mercedes, the carmaker stated it had “revoked the respective API token and eliminated the general public repository instantly.”
