BMW has given away the keys to a large part of its cloud kingdom due to a misconfiguration in Microsoft Azure. It is unclear whether unsavory elements have made off with this.

A BMW cloud storage server in Microsoft Azure was incorrectly configured as public. This is what security researcher Can Yoleri from SOCRadar found out. In the bucket, the researchers found scripts that in turn contained access data for private buckets as well as sensitive information about other cloud services. In other words: Anyone who found their way to the publicly accessible server found the key to the rest of BMW’s digital empire.

Keys and access data

Yoleni shared screenshots with TechCrunch showing that he was able to obtain private keys for cloud services in China, Europe and the US, as well as credentials for BMW’s production and development environment. It is not clear how much data was exposed online and how long the misconfiguration lasted.

The researcher shared his findings with BMW, which immediately made the public server private. However, according to Yoleni, BMW has not adjusted any further data. In other words: The leaked keys are still valid. He points out that BMW should actually adjust all leaked data because it is entirely possible that someone with worse intentions came across the same bucket. BMW would not have responded to these further comments.

Misconfigurations are the biggest security risk in the cloud. The cloud provider is responsible for the security of the infrastructure, but the customer is responsible for the environment they use. Correct settings and strong passwords are essential, but sometimes it’s easy to make a mistake.