Honda leaked personal information from its Honda Connect App
Kromtech Security Center experts recently discovered two public unsecured Amazon AWS S3 Buckets, both belonging to Honda Car India. Inside them were found unprotected databases containing the personal information for over 50,000 users of it's Honda Connect App.
The information leaked contained names, phone numbers for both users and their trusted contacts, passwords, gender, email addresses for both users and their trusted contacts, plus information about their cars including VIN, Connect IDs, and more.
Honda Connect is a smart phone app that boasts that it gives the user a sense of security and safety.
Features include: Periodic service alerts, Service Booking/Editing, Feedback System, Nearby Dealer and Fuel pump locator, My Documents (to store important documents for your car), Fuel Log, SoS (a one click solution to let family and friends know your exact location in an emergency), Service Cost Calculator, Car calendar (to remind of insurance renewal, pollution checks, and other information), and when paired with a Connected Device - Vehicle Health Monitoring, Locate My Car (find the exact location of your car), Trip analysis (including route driven, stops made, information on idle times, braking, speed, acceleration, and more). This is quite a bit of information to potentially give an attacker.
Kromtech also discovered that the S3 Buckets had been accessed at least once before by security researcher @Random_Robbie (twitter), who left them the following note called poc.txt, which was dated February 28, 2018:
With the shear volume of discovered leaky S3 buckets and the massive amount of coverage given to them it's just astounding to us that we are still finding them. It shows that many companies of all sizes are not paying any attention to their security. Honda Car India didn't even notice that a security researcher added a note to their buckets. There is no excuse for that, it clearly illustrates that they are simply running on auto-pilot with no monitoring at all.
In this particular case, the information leaked could potentially give an attacker access to everything on that phone, but specifically regarding this app when paired with a Connected Device: where someone's car is currently located, where they went, where they typically drive, how they drive, and where they start and stop. Considering how we use our cars, this could give that attacker knowledge of the user's daily activities, including where they live, work, shop, and play, making it very easy to stalk someone.
The e-mail addresses (including trusted contacts), phone numbers (including trusted contacts), and other personal data leaked gives an attacker all the information needed to launch a very targeted spear phishing attack. It would not be too difficult to e-mail or text a malicious cybersquatted link appearing to come from a trusted source that with a simple click can do many things, even compromise their device, giving the attacker full access (see our research on the dangers of cybersquatting: Part one, Part two).
Kromtech quickly notified Honda Cars India and though it took a while, we did finally get a response and Honda Cars India has since secured these S3 Buckets.
In October 2017 the Kromtech Security Center released a free scan tool that helps identify and secure publicly accessible Amazon S3 Buckets within an organization's network. We have also published an in-depth guide explaining how to secure Amazon S3 buckets for better data security.