BMW Faces Security Concerns as Misconfigured Cloud Server Exposes Sensitive Information

The german automotive giant has experienced a security incident as a result of a misconfigured cloud storage server.

BMW, a renowned automotive giant, encountered a security lapse as a misconfigured cloud storage server exposed sensitive company information, including private keys and internal data.

The discovery was made by Can Yoleri, a security researcher at SOCRadar, during routine internet scans. The misconfigured Microsoft Azure-hosted storage server, part of BMW's development environment, was accidentally set to public instead of private due to misconfiguration.

The exposed cloud storage server contained script files containing Azure container access information, secret keys for accessing private bucket addresses, and details about other cloud services. Screenshots shared with TechCrunch revealed private keys for BMW's cloud services in China, Europe, and the United States, along with login credentials for production and development databases. The extent of the exposed data and the duration of the cloud bucket's exposure to the internet remain unknown.

BMW confirmed the data exposure, stating that it impacted a Microsoft Azure bucket in a storage development environment. The company assured that no customer or personal data was affected, and the issue was resolved at the beginning of 2024. BMW emphasized ongoing monitoring in collaboration with its partners. However, details about the duration of exposure and potential malicious access remain undisclosed.

While the exposed bucket was made private after Yoleri reported the findings, the security researcher raised concerns about BMW's response to subsequent issues. Yoleri noted that BMW did not revoke or change the passwords and credentials found within the exposed cloud bucket. Despite making the bucket private, Yoleri stressed the necessity of changing the access keys to mitigate potential risks.

The security incident with BMW follows a similar incident involving Mercedes-Benz, which accidentally exposed internal data by leaving a private key online, granting unrestricted access to its source code. After TechCrunch reported the issue, Mercedes-Benz took prompt action by revoking the API token and removing the public repository.

Security lapses in major automotive companies highlight the importance of robust cybersecurity measures, especially when handling sensitive information and cloud-based storage. As digitalization continues to play a pivotal role in the automotive industry, companies must prioritize and regularly audit their cybersecurity protocols to safeguard critical data and maintain the trust of their customers and partners.