“`html
Security expert Eaton Zveare has revealed significant vulnerabilities in Tata Motors’ infrastructure that unveiled over 70 terabytes of confidential information, inclusive of consumer personal data, financial statements, and fleet oversight specifics.
The weaknesses, discovered during ethical hacking in 2023 but disclosed publicly only now, involved hardcoded AWS access keys on publicly available sites, providing unauthorized entry to numerous cloud storage repositories.
This incident underscores ongoing threats within prominent automakers’ digital frameworks, with the potential to jeopardize information concerning millions of customers and dealers.
Tata Motors’ E-Dukaan platform, an online marketplace for vehicle spare parts, harbored unencrypted AWS credentials directly within its source code, enabling anyone to access extensive caches of classified documents.
These keys granted entry to customer database backups, collections with market analysis, and hundreds of thousands of invoices disclosing personal information such as names, addresses, and Indian PAN numbers.
One repository alone housed approximately 40 GB of administrative order documents, highlighting the substantial quantity of exposed commercial information. Zveare commented that the keys were primarily employed to retrieve a trivial 4 KB tax codes file, a minimal rationale for such far-reaching risks.
Decryptable Credentials in FleetEdge System
A comparable issue afflicted FleetEdge, Tata’s fleet monitoring solution, where AWS keys were found encrypted in API outputs but could be easily decrypted using client-side code.
This “needless” encryption, similar to recent vulnerabilities at Intel, uncovered another batch of buckets, including a datalake containing over 70 TB of fleet analytics dating back to 1996.
Malicious actors could not only download historical vehicle information but also introduce malware to interconnected sites, heightening threats to operational safety. The finding highlighted inadequate key management techniques in client-facing applications.
Exacerbating the dangers, E-Dukaan’s code comprised a backdoor to Tableau dashboards, facilitating passwordless access as any user, including the server administrator, through a “trusted token” method.
This enabled complete access to internal projects, financial statements, dealer scorecards, and information on over 8,000 users. Separately, an exposed Azuga API key in the test drive website’s JavaScript jeopardized fleet monitoring for demonstration vehicles, possibly disclosing real-time location tracking. Zveare ceased further investigations to prevent data exfiltration, affirming no malicious actions occurred during testing.
The vulnerabilities were reported to India’s CERT-In on August 8, 2023, but remediation extended into January 2024 amidst continuous follow-ups. Tata Motors acknowledged corrections in 2023 without informing affected individuals, raising concerns about transparency.
As India’s leading automaker, operating across 125 nations, such oversights undermine confidence in data management for vehicle owners. Experts advocate for improved code evaluations and secret rotation to avert future exposures.
“`