Car park

For 137 days now, a yet to be identified company has left a database containing over 10 million Vehicle Identification Numbers (VINs) exposed online with no authentication.

This means that anyone who knows what to look for can mass-scan the Internet and download loads of sensitive information without any restriction.

Discovered by researchers from the Kromtech Security Research Center, the company's experts believe the database was compiled for marketing purposes.

Database leaks user PII, car VINs, sales data, more

Based on the data contained within the exposed database, researchers believe the DB belongs to one or more US-based dealerships.

The database's content is organized into three main sections, each holding information on customers, cars, and sales details.

For example, the database tables pertaining to customer info holds details such as full name, address, mobile/home/work phones, email, date of birth, gender, and the number of children over 12 years old.

The database table holding vehicle information includes a car's Vehicle Identification Number (VIN), model, model year, assigned sales representative name, mileage, and more.

The last part, the one holding info sales pitches includes details such as VIN, mileage odometer, sales gross, pay type, monthly payment amount, purchase price, and payment type (cash, bank, card).

Leaked Car VIN Database

Besides exposing customer PII (Personally Identifiable Information) that could be used in online fraud and identity theft, the database, if discovered by other threat actors, will cause lots of more problematic issues.

VINs could be used in mass car cloning operation

Believe it or not, the most sought-after information exposed in the database is the VINs, a serial number unique to each vehicle.

For the last decade, car thieves have been using stolen VIN numbers to pass stolen cars as legitimate. Below is the FBI's explanation for this technique, called "car cloning."

⊳ After stealing a car, thieves head for a neighboring state. They seek out a large car dealership and look for a car that’s the exact make and model (and even the same color) of the stolen one.
⊳ Then, they write down the vehicle identification number (or VIN) stamped on the top of the dashboard and drive off.
⊳ Later, they make an exact replica of the new VIN tag, pull the old tag out of the stolen car, and pop in the new one. Voilà, a clone is born: two identical cars, one identification number.
⊳ Now, one final step—the thieves use a little forgery to get a real title or other ownership documents from the motor vehicle office in the neighboring state. Then, it’s no problem to sell the vehicle to an unsuspecting victim for nearly full price. And since it’s legally registered and not reported stolen, it’s nearly untraceable.

VINs could be used to create replica keys

Besides car cloning, VINs can also be used for other criminal operations. For example, last week, a motorcycle gang from Mexico known as the Hooligans have shown the world another way of using stolen VINs.

The group operated by initially obtaining the VIN of a car they wanted to steal. The group focused only on Jeep Wranglers.

After getting his VIN, the gang would illegally access a car dealership's proprietary database from where they'd steal two codes necessary to create replacement keys.

The gang would then use these secondary keys to open cars and drive off with people's cars in the middle of the night.

Compared to car cloning, this method is more complex, as it requires access to proprietary car key codes databases, but if an attacker finds 10 million VINs on the Internet than he's already halfway there.

Leaked VINs to be added to Have I Been Pwned

Bob Diachenko, a member of the Kromtech team who discovered the database, has provided a copy of the exposed database to Have I Been Pwned (HIBP), a service that indexes leaked data sets.

HIBP is currently in the process of importing the leaked VIN database. Once the data has been added, US car owners can use Have I Been Pwned to search by their name or other details, and see if their car VIN was exposed via this database.

And since we're on the topic of car hacking, yesterday, security researcher Aaron Guzman presented a method of hacking Subaru cars. His work is detailed in an exclusive article on Data Breach Today.