Pierluigi Paganini July 21, 2023

Cybernews research team discovered that two Suzuki-authorized dealer websites were leaking customers’ sensitive information.

Suzuki or otherwise, buying a new vehicle is an intense experience with complicated credit, insurance, documentation, and contracts. Think of all the data that you leave in a dealership, including the fact that you now own a brand-new car – which itself may be a potential target for criminals. Insecure dealership systems pose a risk to customers.

In the latest discovery by the Cybernews research team, two Suzuki-authorized dealer websites were found to be leaking sensitive information. Files that should be secure and kept private were left publicly accessible.

Anyone could have retrieved passwords and secret tokens for accessing user data, business management tools, or managing websites.

“We’ve grown to trust our local car sellers. Rarely do car manufacturers sell their cars directly. But these leaks are significant in showing that regional dealers are yet to catch up to a changing threat environment. More stringent cybersecurity practices are needed,” our researchers said.

The first dealership is operating in Brazil, a market of 214.3 million people that are already exposed to an elevated crime rate. The second auto dealer is located in Bahrain, an island country in the Middle East with a population of 1.46 million.

This isn’t the first-time that car dealers have struggled with cybersecurity. Ransomware breached the UK’s second-largest car dealer with 160 showrooms last year.

Databases and credentials exposed

Suzuki Motor Corporation is the tenth largest car manufacturer worldwide, with a net worth of $17.6 billion. The affected Brazilian dealer, Suzukiveiculos.com.br, is owned by Hpe Automatores Do Brasil, which also controls a factory producing 120,000 vehicles per year, mainly Mitsubishi and Suzuki models. They claim to have more than 2,500 direct and indirect employees.

The Brazilian Suzuki website contained sensitive information which had been accidentally left exposed, allowing various attacks to be carried out with relative ease.

Among the data, researchers found the endpoint and secret for the content delivery network (CDN) GoChache, MySQL database, SMTP credentials, and various secret keys for both the application itself and external third party services.

The second website belongs to Suzuki Bahrain. This is the only Suzuki vehicle dealer in the country, operated by Mohammed Jalal & Sons, founded in 1973. The website left the company’s Laravel app key, database, and SMTP credentials unprotected.

So, what does it all mean? According to Cybernews researchers, malicious actors could have used these credentials to send phishing emails to customers through official dealership channels, access user information after compromising the website, change how the website operates, and downgrade security measures used by the site.

So far, it’s unclear whether any adversaries managed to intercept the open private data. Cybernews researchers reached out to both companies, and the vulnerabilities were quickly resolved. Suzuki’s media team hasn’t commented on our findings before publishing this article.

Car buyers are crown jewels for cybercriminals

Cars are expensive and are regarded as one of the most important purchasing decisions that consumers can make. A person wealthy enough to buy a brand-new vehicle is a more attractive potential target for threat actors. That makes customer information gathered from automakers and dealers very valuable on hacker forums.

Access to official communication channels provided by SMTP credentials is also very lucrative for cybercriminals as it enables more effective phishing campaigns.

In the case of two Suzuki dealers, attackers could exploit both opportunities to target customers directly.

SMTP credentials would have allowed attackers to send malicious emails to the users of suzukiveiculos.com.br and suzukibahrain.com websites through the website’s official email address.

Database credentials allow attackers to easily access the contents of the database, which likely contain user information. Attackers would need to take over the web server or gain a foothold in the network first.

To know how consumers should act to protect themselves give a look at the original post at:

https://cybernews.com/security/suzuki-dealers-left-data-leaking-research/

About the author: Ernestas Naprys, Senior Journalist at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT41)