Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Car Maker. Show all posts

Mercedes-Benz Accidentally Leaked Private Data, Including Source Code

 

Mercedes-Benz unintentionally leaked a trove of internal data by leaving an obscure key online that gave "unrestricted access" to the company's source code, according to the security research team that unearthed it. 

TechCrunch was notified of the exposure by RedHunt Labs' co-founder and chief technology officer Shubham Mittal, who also requested help in notifying the automaker. The London-based cybersecurity firm claimed that during a standard internet scan in January, it found the authentication token of a Mercedes employee in a public GitHub project.

According to Mittal, this token, which is a substitute to using a password for authentication on GitHub, could allow anyone complete access to Mercedes's GitHub Enterprise Server, allowing them to acquire the company's proprietary source code repositories. 

“The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server,” Mittal explained. “The repositories include a large amount of intellectual property… connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API Keys, and other critical internal information.”

Mittal provided TechCrunch evidence that Mercedes source code, a Postgres database, and keys for Microsoft Azure and Amazon Web Services (AWS) were all there in the exposed repository. If any customer data was present in the repositories is unknown. 

Mercedes was informed of the security flaw by TechCrunch on Monday of last week. Mercedes official Katja Liesenfeld stated on Wednesday that the company has revoked the respective API token and removed the public repository immediately. 

“We can confirm that internal source code was published on a public GitHub repository by human error. The security of our organisation, products, and services is one of our top priorities. We will continue to analyse this case according to our normal processes. Depending on this, we implement remedial measures,” Liesenfeld added. 

Mercedes declined to comment on whether it was aware of any unauthorised access by third parties to the leaked data or whether it possesses the technological know-how, such as access logs, to ascertain whether unauthorised access to its data repositories occurred. The representative gave vague security justifications. 

The personal information of Hyundai Motor India customers who had their vehicles serviced at Hyundai-owned stations throughout India, including names, mailing addresses, email addresses, and phone numbers, was exposed due to a bug that was fixed by the company's India subsidiary, as TechCrunch exclusively reported earlier this month.

Mozilla Report Calls Modern Cars a 'Privacy Nightmare'

 

Modern automotive technology enables some very special and convenient features. They're essentially four-wheeled smartphone extensions. As fantastic as it is to start a vehicle with a phone app or to have it self-park, there is a downside.

The Mozilla Foundation claimed in its latest report that cars are "the official worst category of products for privacy" it has ever analysed. 

The global nonprofit discovered that 84% of the reviewed automakers shared user data with third parties, giving users little (if any) control over their personal information.

None of the 25 automakers examined for the report satisfied the nonprofit organisation's minimal privacy standards, including Ford, Toyota, Volkswagen, BMW, and Tesla, which was also identified to be accumulating more personal information from customers than necessary. 

Data collected spans from personal information, such as medical information, to information about how drivers use the vehicle itself, such as how fast they drive, where they go, and even what music they are listening to. 

Both Nissan and Kia are known to permit the gathering of data about a user's sexual life. In comparison, Mozilla claims that 37% of mental health applications (which are also known for having bad data privacy practices) had superior practices for collecting and using private data.

According to the report, 84 percent of the evaluated car brands share users' personal information with service providers, data brokers, and perhaps dubious companies, with 76 percent claiming the right to sell such information. 56 percent of users are willing to provide information upon request to the government and/or law enforcement. 

With flags in every privacy category, Tesla received the lowest overall brand score in the survey and did so just twice. Following a number of collisions and fatalities, Tesla's AI-powered autopilot was criticised as "untrustworthy."

In addition to the research, Mozilla published a breakdown of how automakers acquire and share user data. This can include basic information such as the user's name, address, phone number, and email address, as well as more sensitive information such as images, calendar entries, and even specifics like the driver's race, genetic makeup, and immigration status. 

According to Mozilla, it was unable to establish if any of the automakers could meet the group's baseline security requirements for data encryption and theft protection. Indeed, it claims that, when compared to automobiles, dating apps and even sex toys frequently offer more comprehensive security information about their products. 

“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” stated Mozilla in the report. 

Mozilla claims to have spent more than 600 hours—three times as long per product as it typically does—researching the privacy policies of car manufacturers. The organisation claimed that because of how critical the report was, the recommendations it generally gives to assist clients protect their personal data feel like "tiny drops in a massive bucket." 

Instead, the Mozilla Foundation has launched a petition asking automakers to halt the data collecting initiatives from which they are unfairly profiting, saying that "our hope is that increasing awareness will encourage others to hold car companies accountable for their terrible privacy practises."

Tesla Begins Notifying Individuals Impacted in a Data Breach Incident

 

Tesla has acknowledged a data breach affecting around 75,000 individuals, but the incident is the result of a whistleblower leak rather than a malicious attack. 

The company informed US authorities that a data breach found in May exposed the personal information, including social security numbers, of over 75,700 people.

According to a notice letter issued to those affected, the data breach is the result of two former workers sending private data to the German news publication Handelsblatt. Tesla stated that the former employees "misappropriated the information in violation of Tesla's IT security and data protection policies." 

The leaked data includes names, contact information, and employment-related details for current and previous employees. Individuals affected are being offered credit monitoring and identity protection services. 

The leak was discovered in May when Handelsblatt claimed that a whistleblower had given it 100 Gb of private Tesla data. According to the publication, Tesla did not effectively protect the data of its partners, customers, and employees. 

The 'Tesla Files', which were leaked, apparently contained information on over 100,000 current and former employees, bank account information for customers, trade secrets for production, and customer concerns about driver assistance systems. The car maker has been reassured by Handelsblatt that it has no plans to publish the whistleblower's personal information. 

Given the circumstances of the incident, the chances of the exposed data being misused are minimal, with Tesla likely commencing the data breach disclosure process owing to legal constraints. Tesla has filed litigation against the employees responsible for the data breach, whose lawyer labelled the leaker as a "disgruntled former employee" when the leak was discovered. 

“These lawsuits resulted in the seizure of the former employees’ electronic devices that were believed to have contained the Tesla information. Tesla also obtained court orders that prohibit the former employees from further use, access, or dissemination of the data, subject to criminal penalties,” the car manufacturer noted in its recent breach notification.

Thieves Use JBL Speakers to Hack Cars with Keyless Entry

Car theft has been an ongoing problem for decades, but now, thieves have found a new way to bypass modern car security systems using hacking tools disguised as JBL portable speakers. This emerging trend highlights the importance of cybersecurity in the automotive industry and the need for manufacturers to improve the security of their products.

According to a recent report by TechSpot, car thieves are using these hacking tools to gain access to vehicles equipped with keyless entry systems. They target the key fob's wireless communication system and use a device disguised as a JBL portable speaker to inject code into the car's system, allowing them to start the engine and drive away.

Kentindell, a cybersecurity researcher, revealed that this technique is possible due to a vulnerability in the communication protocol used by the key fob and the car. The vulnerability allows attackers to inject code into the system and bypass the security measures designed to prevent unauthorized access. Thieves have been using this technique to steal luxury cars such as BMWs and Mercedes, which are often targeted due to their high resale value. The devices used to execute these hacks can be purchased easily online for as little as $30, making it a low-cost and accessible method for criminals.

The use of hacking tools disguised as JBL portable speakers is just one example of the increasing threat of cyber attacks in the automotive industry. As cars become more connected and reliant on technology, the risk of cyber-attacks increases. This is particularly concerning in the case of autonomous vehicles, where a cyber attack could have severe consequences.

To address this issue, car manufacturers need to improve the security of their products and work with cybersecurity experts to identify vulnerabilities in their systems. Additionally, car owners should take steps to protect their vehicles, such as storing key fobs in a secure location and keeping their software and firmware up to date.




Private Data of Nearly 296,000 User Compromised in Toyota Data Breach

 

Toyota Motor, the world's largest car manufacturer, said on Friday it had identified that about 296,000 pieces of customer information and assigned customer numbers were “mistakenly” leaked from its T-Connect service. 

The Japanese automaker published a statement warning its customers that they may be at risk of receiving spam, phishing scams, or malicious texts to their email addresses. Those impacted by the data leak are users who signed up for the service starting July 2017 via their emails. 

According to the firm, a total of 296,019 email addresses and customer numbers were possibly leaked, but private data such as customer names, phone numbers, or credit card information remained unharmed. Toyota also has not reported any cases where the leaked customers’ information has been misused yet. 

“The email addresses and customer management numbers of some customers who subscribe to 'T-Connect' were found to have been leaked,” Toyota stated. “We sincerely apologize for causing great inconvenience and concern to our customers.” 

The incident occurred after an unnamed subcontractor who was a designer for the T-Connect website accidentally uploaded parts of the source code with public settings from December 2017 until September 15 of this year. However, based on security experts' investigation, the car manufacturer hasn’t identified third-party access to the data server where the information was stored. 

“From December 2017 to September 15, 2022, a third party was able to access part of the source code on GitHub,” the automaker added. It was discovered that the published source code contained an access key to the data server and by using it, it was possible to access the email address and customer management numbers stored in the data server.” 

According to threat analysts, car apps put customers’ private details at risk. Earlier this year in May, security researchers at the cybersecurity firm Kaspersky published a report that more than fifty percent of these apps utilize customers’ personal data without first asking for their consent and that these apps tend to be susceptible to data leaks. 

The average cost of a data breach hit a record high of $4.35 million in 2022, which is 2.6 percent higher than last year and 13 percent from 2020, US technology firm IBM said in an August report. 

This is not the first time Toyota made headlines for the wrong reasons. Earlier in February, the company suspended Japanese factory operations after a supplier of electronic components was hit by a suspected ransomware attack. Toyota has joined a series of popular firms that have had their data and user information leaked, including Samsung Electronics, LinkedIn, Cisco, Twitter, and Facebook.