E Security, June 13th, it has been discovered that a car database has been leaked to the network, and the database includes tens of millions of cars sold in the United States and the personal information of related buyers. Car dealers affected by the leak include Acura, BMW, Chrysler, Honda, Hyundai, Infiniti, Jeep, Kia, Mini (Mini), Mitsubishi (Mitsubishi), Nissan (Nissan), Porsche (Porsche) and Toyota (Toyota).
The unprotected database, discovered by researchers at the Kromtech Security Research Center, contains three sets of data: Vehicle
details: Vehicle Identification Number (VIN), make, model, model year, vehicle color , mileage, etc.
●Sales details information: VIN, odometer, total sales, payment method, monthly payment amount, purchase price, payment method, etc.
●Customer details: full name, address, mobile/home/work phone, email, date of birth, gender, occupation, etc.
E Safety Encyclopedia: What is a car VIN code?
VIN is the abbreviation of Vehicle Identification Number in English. Because the SAE standard (Society of Motor Vehicle Engineers) stipulates that the VIN code consists of 17 characters, so it is commonly known as the seventeen-digit code. It contains information such as the manufacturer, year, model, body type and code, engine code and assembly location of the vehicle. Correctly interpreting the VIN code is very important for us to correctly identify the vehicle model, so as to perform correct diagnosis and maintenance.
Bob Diachenko, Kromtech's chief communications officer, said the database appears to be part of a collection of sales data from large and small U.S. auto dealerships.
He also added, "This database has been circulating on the Internet for more than 137 days. Security researchers have not yet identified the owner of the database, but have reminded the dealers involved to contact potential data owners."
What can criminals do with this data?
Diachenko explained, "High-level criminals have now established a way to combine traditional offline crimes such as car theft with technological means. Criminals are now using leaked or stolen data to obtain unique identification of vehicles. Then 'cloning' its VIN to help the stolen vehicle gain legal identity."
"Criminals first select the car they want to steal, then use the VIN database to create a new set of VIN numbers and create a pseudonym. Once they have the stolen car's information and the real body number from the vehicle database, they can use it to create a new VIN number. A car is sold to an unsuspecting buyer. Victims may not immediately realize it is a stolen car—until the criminals have already gone off with the proceeds, never to be recovered.”
Car thieves have been using stolen VIN numbers to "legally" buy and sell stolen vehicles for the past decade, in what the FBI calls "car cloning."
How to achieve " car cloning"?
The FBI explains how "car cloning" works as follows:
⊳ After stealing a car, the thief travels to a neighboring state to find a larger car dealership and look for the exact make and model (or even the same color) of the stolen vehicle.
⊳Afterwards, they will write down the VIN number above the dashboard.
⊳ Next, they will make a new VIN label and replace the old VIN number with the new label. The result is a "clone" car: two different cars with the same VIN number.
⊳ Finally, the thieves obtain relevant documents through forgery. The thieves would then sell the "clone" car without even the slightest suspicion from the buyer, as it appears to be legally registered and not reported stolen, so the design is flawless.
Create a backup key
掌握车辆VIN也可能允许犯罪分子为其创建钥匙备份,从而在无需入侵车辆系统的前提下将其偷走。过去三年以来,蒂华纳摩托车俱乐部的成员利用这种特殊方法窃取到多台吉普牧马人。
犯罪分子此前并没有从数据库中获取VIN,而只是直接从车辆仪表板上进行读取。
在最近的公开起诉书中,检方解释称“侦察人员会将VIN发送给团伙头目,后者再将VIN发送给钥匙制造者。通过未经授权的专有数据库访问操作,钥匙制造者能够提供适用于吉普牧马人车型的钥匙代码副本以借此骗过车型的身份验证机制,同时附带另一份代码片段——后者用于对车辆微芯片进行编程。”
就在去年,安全研究人员特洛伊-汉特(Troy Hunt)展示了一项可用于同日产聆风车型(一款高人气电动车)进行交互的移动应用漏洞,未经身份验证的远程攻击者可以利用此项安全漏洞开启并关闭汽车的脽怀加热系统。要实现这项攻击,恶意人士只需要掌握目标车辆的VIN即可。
数据安全的重要性
此次泄露事件对专家而言已不是什么值得惊讶的事情,因为专家长期以来就警告称,网络犯罪分子对客户的数据库尤为青睐。专家建议组织机构专注数据保护技术,防止欺诈分子窃取数据,并防止意外数据泄露事件。
网络犯罪正变得日益狡诈。此报道再次向汽车经销商敲响警钟,经销商应竭力保护数据安全。
迪亚琴科在Have I Been Pwned(HIBP)提供了被泄数据库副本,以便美国车主前往该网站查询自己的信息是否被泄,车主可以通过姓名、电子邮箱或其它详情查看自己的汽车VIN是否被泄。
车主如何预防?
几乎没有车辆能免除被盗的风险。但是车主可以适当降低风险,例如:
-
将车锁好;
-
将车停在光线好的地方;
-
遮住仪表板上方的VIN码;
-
使用防盗警报和其它安全措施。
如果担心买到“克隆”车,E安全建议搜索查看VIN。此外,用户还应谨慎所谓的“优惠交易”。
来源:https://www.easyaq.com/news/1871049058.shtml