Attached: 1 image
As it turns out, Volkswagen has been collecting extensive geo data from all their electric cars and made them available online in an AWS bucket. Almost 10TB of geo traces from 15 MiO cars. Amazing detail and patterns. This is why I don't want a smart car 🤯 https://events.ccc.de/congress/2024/hub/en/event/wir-wissen-wo-dein-auto-steht-volksdaten-von-volkswagen/ #Volksdaten
The default for net new buckets is actually very strict.
But it’s that strictness that makes devs just to open it up to everyone and not learn proper IAM syntax.
The unfortunate part is that AWS made rules and privileges so nuanced and detailed that it makes people want to make everything public and deal with it “later”.
All you have to do is monitor the network traffic and then scan any AWS subdomains/IPs that pop up.
[edit] this makes me think… it’s not really possible for a secure connection from all of VW’s vehicles to an S3 bucket, is it? Anyone can pull the key from any of the millions of vehicles making the connection. Then they can dump whatever they want into the bucket.
You could secure it using an IAM user with credentials but then those credentials would be available on all vehicles.
If the vehicles had direct access to S3, maybe that’s why the bucket was public? But you could also just leave it available to the public.
But if that was the design, you should sweep the bucket on a regular basis to make sure there aren’t any objects over x hours old or something like that.
Bucket names are often committed to GitHub. It used to be that bucket names could be published but ever since the blog post of the guy getting fucked by people polling his bucket due to an open source project typo made others realize that bucket names should probably be secrets.
There are bots that will just monitor all public commits to github, gitlab, etc. for AWS credentials and other strings like that. And as soon as they are found they will start to abuse them.
It doesn’t default insecure anymore and it bitches at you when you try to make it public.
My bet would be that It was either a pre-existing bucket, or some team put a “temporary” measure in (making it public) instead of using the API to pull the data until they got around to implementing it correctly.
“Accidentally”
From what a gathered, it was the classic misconfigured AWS S3 Bucket.
It’s criminal how AWS still makes the default configuration insecure.Edit: apparently buckets are private by default now, haven’t set up S3 in a while.
It was also the classic “collecting the information to begin with,” and it’s criminal how that is allowed, too.
The default for net new buckets is actually very strict.
But it’s that strictness that makes devs just to open it up to everyone and not learn proper IAM syntax.
The unfortunate part is that AWS made rules and privileges so nuanced and detailed that it makes people want to make everything public and deal with it “later”.
How do people end up finding them? Don’t they have random UUIDs in the URL? Or are they predictable?
All you have to do is monitor the network traffic and then scan any AWS subdomains/IPs that pop up.
[edit] this makes me think… it’s not really possible for a secure connection from all of VW’s vehicles to an S3 bucket, is it? Anyone can pull the key from any of the millions of vehicles making the connection. Then they can dump whatever they want into the bucket.
You could secure it using an IAM user with credentials but then those credentials would be available on all vehicles.
If the vehicles had direct access to S3, maybe that’s why the bucket was public? But you could also just leave it available to the public.
But if that was the design, you should sweep the bucket on a regular basis to make sure there aren’t any objects over x hours old or something like that.
Bucket names are often committed to GitHub. It used to be that bucket names could be published but ever since the blog post of the guy getting fucked by people polling his bucket due to an open source project typo made others realize that bucket names should probably be secrets.
There are bots that will just monitor all public commits to github, gitlab, etc. for AWS credentials and other strings like that. And as soon as they are found they will start to abuse them.
Was it this one?: https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1
It doesn’t default insecure anymore and it bitches at you when you try to make it public.
My bet would be that It was either a pre-existing bucket, or some team put a “temporary” measure in (making it public) instead of using the API to pull the data until they got around to implementing it correctly.