Open in app

Sign in

Write

Sign in

One free BMW keys included please and how hacks generate real life damages.

Teampurple
4 min readApr 11, 2018

--

This little adventure actually happened at the end of 2016. At that time, I was working for an IT company with a very strong international focus. The natural result of this was that for a minimum of twice a month I would get to enjoy the finest selection of Airport gourmet, single serving peanuts and TSA baggage checks where without fail a bag with more than 1 laptop resulted in me unpacking my neatly organized carry on luggage and stuffing every last bit of IT equipment back into a lot less organized bag.

The trips usually would only entail staying 1 night at any location and flying back the next day and after the initial bunch one simply starts to optimize his travel routines a lá the movie “Up in the Air”.

The closest airport to me has one big negative: the parking situation. Somehow the continuous growth of the airport combined with limited space resulted in very expensive parking at the airport or alternative, leaving your car at some car park 15 minutes away and taking a small bus to the actual airport. All while hoping nobody will smash your window while you are away because they misjudge the value of those cheap dollar store sunglasses and logic and people who smash car windows have bigger issues in their life so who am I to judge?

The solution to this is quite elegant. Local businesses have started ‘valet’ parking services where you simply make a quick online reservation and you drive your car straight to departures. Throw your key at a student making some extra money and when returning you simply show your copy of the reservation and you are good to go. Extra bonus: On cold and snowy days your car is already warmed up, and somehow you just feel a bit special and important because valet parking.

One of my little escapes from my cubicle in 2016 was different. Excited for my next trip I went through my booking routine and simply filled in my online parking order and waited patiently for confirmation. This came 5 minutes later in the form of an email and I followed the link in the email to get my ticket…. Link in my email…. To get my ticket….

My browser showed the url http://theplacewhereIorderedmyparkingspot.com/?order=8495&key=order_546c8ca75c01f

Good to know I’m 8495 by the way. And of course the next logical thing to do is change the order number because even given the fact there is a key, I don’t really trust anybody who puts words into keys…

http://theplacewhereIorderedmyparkingspot.com/?order=8494&key=order_546c8ca75c01f

Loading….

Seriously?

Presented in the form of a neatly styled PDF document, my screen now displayed the booking of an 8 year old Toyota. This resulted in the following thoughts:

1. What can I do with this data?

2. Thank you for ruining the special ‘luxury’ feeling of valet parking for me.

The data in the reservation was average: Car, Brand, plates, names of owner, mobile # of owner, was the reservation paid, when was the car coming but also, when was it scheduled to be picked up.

For a little while I might had a small script running to pull in reservations and see what was going on. What is the most expensive car these guys have? I even might have found a reservation of a former employer who was at the moment I saw the reservation out of town. Of course this is purely hypothetical as it would be illegal. I would have played with the idea of picking up his car as a joke. But in the end I would have texted it to him and we laughed about it. This would also be the moment I started to enjoy the idea more and really wanted to do something with it.

You wouldn’t download a car

Knowing the session management on the website was completely broken, now what? And would we actually be able to obtain one of the cars? Breaches like this are hard as this isn’t simply information which can be sold as a huge database dump through a shady browser with an onion as logo.

My experiences with the company never required any identification in the form of passports and a signature drawn on the side of a car while just out of an airplane, which is checked by a 19 year old who is making minimum wage is worth just about as much as the hash key in the url.

Obviously acting on the obtained information and actually pushing ahead and stealing borrowing a car would be a huge breach of privacy for the final customer who left his car in good conscience.

Nice Beamer bro…

Taking an actual car also would open a number of legal gray areas. This leads me to believe that the smartest route is to inform the company by responsible disclosure, allow them to resolve any security issues and publish a certain article which you are reading.

To summarize, below is a video of local media stealing above mentioned BMW because you knew this was going to happen. (please note the link below links to a dutch article)

https://kassa.bnnvara.nl/gemist/nieuws/door-beveiligingslek-mogelijk-om-andermans-auto-mee-te-nemen

Hacking
Data Security
Database
Security
Data Breach

--

--

Teampurple

Written by Teampurple

2 Followers

www.teampurple.io

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams