Honda Car India accidentally leaked the personal details of thousands of customers in two public, unsecured Amazon AWS S3 buckets, According to Kromtech Security researchers, the unprotected databases contained information for over 50,000 users of its mobile Honda Connect app.
The remote car management app allowed users to interact with their Honda smart cars, interact with services provided by Honda Car India and view specific information about their vehicle including fuel log, car calendar for reminders, vehicle health monitoring, Locate My Car services, trip analysis and more.
The compromised data included names, phone numbers and email addresses of users and their trusted contacts, gender, passwords and car information such as VIN, Connect IDs and more.
"The information leaked could potentially give an attacker access to everything on that phone," Bob Diachenko, the Kromtech security researcher who discovered the exposed S3 buckets, wrote in a blog post. When paired with a connected device, the app also details a trove of specific information about where a customer's car is located, their driving habits, when and where they typically travel as well as when they stop.
"Considering how we use our cars, this could give that attacker knowledge of the user's daily activities, including where they live, work, shop and play, making it very easy to stalk someone," he added. Moreover, the email addresses, phone numbers and other personal data leaked could be leveraged to launch a targeted spear phishing attack as well.
Diachenko said he wasn't the first researcher to uncover the exposed buckets either. Honda Car India's storage buckets were previously accessed at least one by security researcher Robbie Wiggins who goes by the Twitter handle @Random_Robbie and left behind a file named poc.txt dated February 28, 2018 notifying them about the exposed data.
"This is a proof of concept to check if your S3 bucket has incorrect permissions," the message read. "Please secure your S3 bucket before a bad guy finds it!!"
"It shows that many companies of all sizes are not paying any attention to their security," Diachenko wrote. "Honda Car India didn't even notice that a security researcher added a note to their buckets. There is not excuse for that, it clearly illustrates that they are simply running on auto-pilot with no monitoring at all."
Kromtech has notified Honda Car India about the leaky buckets, - which he noted "took a while - and they have since been secured.