• Can Yoleri, a security researcher at SOCRadar, told TechCrunch that he discovered the exposed BMW cloud storage server while routinely scanning the Internet.
  • A BMW spokesman said no customer or personal data was affected.

Operation error leads to information leakage

According to TechCrunch, automotive giant BMW’s cloud storage server was misconfigured, leading to the disclosure of sensitive company information, including private keys and internal data.
Can Yoleri, a security researcher at threat intelligence firm SOCRadar, told TechCrunch that he found the exposed BMW cloud storage server during a routine scan of the Internet.Yoleri said the Microsoft azure managed storage servers (also known as “buckets”) exposed in BMW’s development environment were “accidentally configured to be public instead of private due to a misconfiguration.”

Yoleri adds that the bucket contains “script files that include Azure container access information, keys to access private bucket addresses, and other cloud service details.”
It is not known exactly how much data was exposed or how long the cloud storage bucket was exposed to the Internet.”Unfortunately, this is the biggest unknown in the public bucket,” Yoleli told TechCrunch.” Only the owner of the bucket can see how long it has actually been open.”
BMW spokesperson Chris Overall confirmed to TechCrunch via email that the data breach affected a Microsoft Azure storage bucket based on the storage development environment, and said no customer or personal data was affected.

Also read: Driving into the future: Balancing innovation and privacy in smart cars

Unknown duration of the leak

“The BMW Group is able to resolve this issue by early 2024 and we will continue to monitor the situation together with our partners,” the spokesman added.
BMW would not say how long the barrels had been exposed or whether it had observed any malicious access to the exposed data.Yoreri said that while he didn’t have any evidence of malicious access, “that doesn’t mean it doesn’t exist.”
Yoleri told TechCrunch that while BMW kept the bucket secret after he reported his findings to the company, the company did not revoke or change the set of passwords and credentials found in the exposed cloud bucket.
“Even if the bucket has been set to private, it is necessary to change these access keys. If the bucket is private, it doesn’t matter.” He added that he tried to contact BMW about subsequent issues but received no response.

Last month, Mercedes-Benz confirmed that it had left a private key online that allowed “unfettered access” to its source code, accidentally exposing a large amount of internal data. After TechCrunch disclosed the security issue to Mercedes, the automaker said it had “revoked the corresponding API token and immediately removed the public repository.”