The Cybernews research team uncovered sensitive data leaks from two Suzuki-authorized dealer websites, raising concerns about cybersecurity in the automotive industry.
These leaks exposed customer information, including passwords, secret tokens, and SMTP credentials, which could be exploited by malicious actors for phishing attacks and compromising website security. The affected dealerships, operating in Brazil and Bahrain, left their databases and credentials publicly accessible, allowing various cyberattacks to be carried out with relative ease.
As cars are considered major purchases, cybercriminals see customers as valuable targets, making it crucial for dealerships to adopt more stringent cybersecurity practices to safeguard their clients’ data.
The first dealership, located in Brazil, operates in a market of 214.3 million people with an elevated crime rate, while the second dealership is situated in Bahrain, a Middle Eastern island country with a population of 1.46 million.
Despite being part of a reputable global car manufacturer, the Brazilian Suzuki website accidentally exposed sensitive information, including secrets for a content delivery network, MySQL database, SMTP credentials, and various secret keys. Similarly, the Suzuki website in Bahrain left its Laravel app key, database, and SMTP credentials unprotected, potentially exposing user data to cyber threats.
As car buyers are perceived as “crown jewels” for cybercriminals due to the significance of their purchasing decisions, customer information collected by automakers and dealers becomes highly valuable on hacker forums.
With access to official communication channels through SMTP credentials, attackers can launch more effective phishing campaigns. The vulnerabilities discovered in these Suzuki dealerships could have allowed malicious actors to send phishing emails to customers through official channels, access and compromise user information, alter website operations, and downgrade security measures.
Although the vulnerabilities have been resolved, the incident underscores the importance of robust cybersecurity measures to protect customers’ sensitive data in the automotive industry.
