BMW confirms that a data breach has occurred, and how to ensure information security in the intelligent era
(Text/Zhang Jiadong Editor/Zhang Guangkai)
Recently, a serious data breach occurred at BMW, a world-renowned automobile manufacturer.
Researcher Can Yoleri reported that during a routine scan, he accidentally discovered that BMW's cloud storage servers on the Microsoft Azure platform were misconfigured and set to public access instead of the planned private state. This misconfiguration left BMW's private keys, internal data, and other sensitive information in the open eye.
In the detailed report, Yoleri noted that the misconfigured server contained a large amount of sensitive information, including access to Azure, keys to access the private storage server address, and other details related to BMW Cloud services.
TechCrunch reported that the exposed data included private keys to BMW's cloud services in China, Europe and the United States, as well as login credentials for production and development databases.
Although a BMW spokesperson said that the incident did not affect customers or personal data, the incident undoubtedly poses a severe test for BMW's credibility in information security.
The spokesperson added: "The BMW Group has fixed this issue in early 2024 and we will continue to monitor the situation with our partners." ”
However, Yoleri noted that BMW has not revoked or changed the passwords and credentials found in the exposed cloud storage servers.
In recent years, as the concept of "software-defined vehicles" continues to gain popularity, the market position of intelligent networked vehicles has been continuously improved. With the rapid development of intelligent technology, software, chips, and big data have become an important part of intelligent networked vehicles.
However, while the above configuration brings consumers a more convenient travel experience, the risk factors contained in it cannot be ignored.
In 2020, tens of thousands of Tesla owners were unable to connect to their cars through the app due to system downtime, and in early 2021, a foreign hacker obtained the in-car footage captured by Tesla's in-car camera, which was widely disseminated on social media platforms and attracted attention.
In response to the incident, Tesla officially issued a statement saying: "The cab camera is not currently active in markets outside of North America. Even in the United States, car owners are free to choose whether to turn it on or not. ”
But even though Musk specifically emphasized at the 2021 China Development Forum: "Tesla will not use the collected data for espionage, because this will seriously affect the development, we are willing to take the highest level of confidentiality measures, and hope to create a future of mutual trust with everyone." "Even the data center was built in China, but the damage to its brand image is difficult to recover.
In 2022, NIO was also exposed to criminals selling NIO-related data online and extorting $2.25 million worth of Bitcoin from NIO on the grounds of leaking data. Afterwards, Li Bin, chairman of NIO, also apologized to the car owner and the outside world in the community, and responded: "Resolutely do not compromise with criminals and do not make a precedent for compensation." Even if the company loses bankruptcy, it will not compromise. ”
Although judging from the results, whether it is Tesla being attacked by hackers or NIO being harassed by criminals, several large-scale vehicle data leaks in recent years have not caused too serious consequences, but in fact, these data can not only be used for extortion, but such information is also easy to be stolen and sold by criminals, and bring "precision strikes" to people and money.
Previously, some industry experts pointed out: "An intelligent networked car collects at least 10TB of data every day, which is not only a huge amount, but also involves key information such as the travel trajectory, habits, voice, and video of drivers and passengers, and will leak personal privacy once it is violated." ”
Entering 2024, it is foreseeable that with the further expansion of technologies such as Internet of Vehicles applications and intelligent driving, there will be more various sensors such as car cameras and lidars, and the information collected is likely to involve sensitive locations, that is, the content is illegal;
Last year, there were a number of cases in which video footage captured by in-car cameras was leaked to social media, attracting widespread attention.
At the end of the year, after the winter test of an automobile media, the practice of many automobile manufacturers to retrieve background vehicle data also caused consumers to worry about the security and confidentiality of driving data.
According to last year's satisfaction survey agency J.D. Power, 90% of users prefer car brands with high data security.
Industry insiders pointed out that there has been a lack of effective regulatory mechanisms for cross-border data transmission, but the cross-border transmission of confidential data has a great impact on national security, and once the data is transmitted, it is more difficult to rectify and repair it in the later stage.
The Ministry of Industry and Information Technology previously issued a document stating that with the development of automobile networking, the threat of cyber attacks has accelerated to the vehicle end and the Internet of Vehicles platform, and the network security incidents of the Internet of Vehicles not only affect the privacy, property and life safety of citizens, but may even endanger social security and national security.
It is for this reason that from 2021 to the present, most countries and regions around the world have been continuously improving the relevant laws and regulations on privacy and data protection of automotive products.
Taking China as an example, at present, the Cyberspace Administration of China has deliberated and passed the "Several Provisions on the Security Management of Automotive Data (Trial)" at the chamber meeting, that is, from the policy level to the whole process of automobile data collection, analysis, storage to transmission, query, application and deletion, etc.
At the same time, in terms of the operation of information security, car companies need to assume the corresponding responsibility for the security collection and protection of information and data.
Among Chinese car companies, Great Wall Motors has carried out all-round security design from the cloud for information security, and has cooperated with the National Internet Emergency Response Center, Qihoo 360, Baidu Security Laboratory, China Automotive Technology and Research Center and other institutions to successively set up a security co-construction laboratory and carry out technical research on information security, so as to improve the level of information security protection of the whole vehicle.
BYD actively carries out various data security and compliance certifications. At present, BYD has obtained security certifications such as R155 (CSMS) and R156 (SUMS) system certification, and has passed the national information security level protection level 3 certification.
Li Auto adopts the whole process of data encryption monitoring, from design, research and development to production, the security of each stage is involved in the whole process, and at the same time realizes sub-domain isolation and in-depth defense, carries out security control on suppliers, and grasps the initiative of security.
However, just like the occurrence of the BMW data leakage, even under relatively perfect policy supervision and technical protection, it seems that it is difficult for large enterprises to completely avoid the negligence of information technology management.
Information security experts point out that misconfiguration of cloud storage servers can lead to multiple security risks. A compromise of a private key can expose communications and data transfers to the risk of man-in-the-middle attacks, while a breach of login credentials for production and development databases can lead to unauthorized access and even a larger data breach.
For global auto companies, BMW's information leakage is just another warning on the road of rapid development of intelligent technology, and the competition between information security technology and management is also a potential competition under the fierce battle of intelligent technology involution.