[HN Gopher] Hacking India's largest automaker: Tata Motors
___________________________________________________________________
Hacking India's largest automaker: Tata Motors
Author : EatonZ
Score : 98 points
Date : 2025-10-29 01:31 UTC (2 days ago)
(HTM) web link (eaton-works.com)
(TXT) w3m dump (eaton-works.com)
| speckx wrote:
| The fact that they put their AWS secret keys on their website is
| incredible.
| YetAnotherNick wrote:
| Sending it with AES encryption(with the key that the client has
| access to) makes it even worse, as someone knew this shouldn't
| be shared to client yet they shared it anyway.
| horns4lyfe wrote:
| If you've ever worked with Indian outsourcing firms it's not
| quickthrowman wrote:
| That's exactly the kind of work I'd expect from TCS, I'm not
| sure why you are surprised.
| darth_avocado wrote:
| Even more importantly, why do the root keys expose EVERYTHING?
| Do they just have one account for all of their infra?
| ksynwa wrote:
| So the author got nothing but a thank you out of it? That's a
| shame.
| tehlike wrote:
| At least there was a "thank you".
|
| Some go on to sue such researchers.
| paxys wrote:
| Yup, they said thank you and took action only because this
| was a US-based researcher. Had any Indian dared to do this
| they'd be in for a world of pain. Not through a lawsuit, but
| criminal charges.
| DaSHacka wrote:
| Typical 'payout' for ""responsible"" disclosure.
| sharadov wrote:
| Security for most Indian companies - even conglomerates is a
| joke.
|
| Look at the websites - most look like they've not been upgraded
| since the 90s, with endless popups
| Ylpertnodi wrote:
| > endless popups
|
| Ypu get popups? What are you using to browse? IE5?
|
| I sometimes get 'this site is trying to open another window
| -allow/ block?': answer is always 'No'.
| fakedang wrote:
| Not ad popups, site UI popups.
|
| Another example, financial services publicly traded company
| with a recent 99% profit decline:
|
| https://www.emkayglobal.com/
| renewiltord wrote:
| In site modals.
| alephnerd wrote:
| It's a side effect of pay. Like every other company, you get
| what you pay for, and for organizations that view web security
| as a [edit:] _Cost Center_ (eg. Tata Motors) there 's no
| incentive to pay market rate for a Security Engineer - who in
| India can now demand $60k-100k TCs.
|
| Heck, firms that provide offensive security capabilities to
| Indian PDs can pay $40k-50k after poaching a junior pentester
| or exploit developer from a PD.
| spelk wrote:
| Sorry to be pedantic but I think you mean 'cost center', not
| loss leader (something sold at a loss to attract customers
| into your ecosystem/store). You are entirely right otherwise.
| alephnerd wrote:
| Doh! You are correct! Crossed wires during a meeting
| vrinsd wrote:
| I understand why someone might this this is a pay issue, but
| it's goes beyond that.
|
| Culturually, doing something "well"(quality oriented, mindful
| of end-users) vs. "got it done" (transaction, pragmatic way
| of looking at things) is the heart of why outsourcing to many
| different geographical areas (India included) often results
| in something different than expected.
|
| Also condemning every one in one part of the world as
| thinking one way is certainly not fair or true, but there are
| definitely unmistakable trends.
| alephnerd wrote:
| Becuase it is about pay.
|
| For example, most of the security portfolio that GCP
| provides is developed and product managed out of the Google
| Hyderabad office, as is a fairly major Israeli CNAPP
| product that starts with "A", a large CNAPP from a public
| Israeli-American security company that is directly
| positioned against Wiz, and a major security vuln mgmt and
| redteaming tool used by the DoD, GitHub, and Google. But
| all these employers pay $60k-130k TC for mid-career
| security professionals.
|
| Anyone who is remotely competent gets scooped up by
| transnational firms or startups who can afford to pay
| Western salaries, and traditional conglomerates in India
| largely do not care about web exploits unless they are a
| web platform first and foremost.
|
| Tata Motors - being an automotive company - does not care
| about web development for the same reason GM doesn't as
| well: it isn't tangibly connected to revenue generation. As
| such, they will just contract it out to TCS (a Tata Group
| company, but both are independent of each other) at the
| lowest contract rate possible.
| porridgeraisin wrote:
| That culture at WITCH and WITCh adjacent companies is
| itself a result of the pay.
| Nextgrid wrote:
| Pay should reward doing something _well_ vs merely doing
| something. Of course, this would generally mean you need to
| pay _more_ than the competitor which will happily pay for
| merely doing something. So yes it is about pay.
| alephnerd wrote:
| Also, Indian companies are competing with American and
| Israeli founded or funded companies and startups for the
| same talent.
|
| If you are competent, instead of earning $15k TC working
| for an automotive company, you could demand $40k-70k in
| TC from an MNC or a well funded startup (assuming you
| have the skills to back it up) - and those are the
| numbers my portfolio companies use to target hiring in
| India, as well as what I used previously before I became
| a VC.
| thelastgallon wrote:
| Related: Jaguar Land Rover hack cost UK economy an estimated $2.5
| billion, report says:
| https://news.ycombinator.com/item?id=45668008
|
| The 'tech' for both these is by guess who? TCS!
|
| Edit: For those who don't know the relation. Tata[1] is a
| conglomerate, which owns both Tata Motors (Jaguar, Land Rover)
| and also TCS (Tata Consultancy Services)
|
| [1] https://en.wikipedia.org/wiki/Tata_Group
| cjs_ac wrote:
| TCS also contracts for Marks & Spencer, and the Co-op, both of
| which were also taken offline by hacking earlier this year.
| Mistletoe wrote:
| At what point is it more believable that these are inside
| jobs done on purpose vs. incompetence? I guess that's just
| Hanlon's Razor though.
| cjbgkagh wrote:
| I have heard there is a growing trend of hackers paying
| kickbacks to insiders, certainly makes hacking easier.
| CommanderData wrote:
| Having worked with Indian consultancy firms for over 10
| years. I can safely say security attitudes and practices
| haven't changed much.
|
| There's always this culture of taking shortcuts at the
| expense of security and quality.
| cjbgkagh wrote:
| One of the problems with incompetence, of which there are
| many, is that it gives bad actors space to operate. From
| a security point of view I don't think the distinction
| matters all that much.
|
| That said, the situations I've head about were from
| affiliate ransomware attacks that didn't make the news
| because the backup worked. It's difficult to keep things
| secure from highly motivated internal bad actors. I've
| been told it's an increasing trend but have not heard
| much about it publicly.
| jacquesm wrote:
| It's perfectly believable. Whether it is more believable or
| not is a toss up. If you employ such a large number of
| people there are bound to be a couple of bad apples, and
| unless you have _very_ good internal processes and
| monitoring it isn 't all that hard to imagine someone doing
| something they shouldn't be doing. But absent hard evidence
| that it happened that way it interesting speculation but no
| more than that, besides, it can be impossible to
| distinguish between the two even if you have evidence of an
| inside job that looks like incompetence!
| zdragnar wrote:
| Based on my experience working alongside TCS, incompetence
| seems far more likely. If we'd asked for a back door, we'd
| have gotten a solid wall.
|
| Then again, my experience may have left me a little jaded.
| fencepost wrote:
| Note that M&S dropped TCS in July following the recovery. htt
| ps://www.ft.com/content/289ec371-2ed4-425a-9bd0-c34e6db39...
| and elsewhere.
| rdtsc wrote:
| > October 23, 2023: They confirm receipt and are working on
| taking action. After this date and up until January 2, 2024,
| there were various back and forth emails trying to get Tata
| Motors to revoke the AWS keys. I am not sure if something was
| lost in translation, but it took a lot of pestering and specific
| instructions to get it done.
|
| Wow, they had to go out of their way and plead with Tata Motors
| to fix their own shit. I can only admire their patience. Can't
| say I would be that patient.
| spprashant wrote:
| This is embarrassing.
| fakedang wrote:
| I'll just leave this here:
|
| > September 1, 2023: Tata Motors shared with CERT-IN (who then
| shared with me) that the issues are remediated. September 3,
| 2023: I confirm only 2/4 issues were remediated and the AWS keys
| were still present on the websites, and active. October 22, 2023:
| After no updates and finding the AWS issues still not remediated,
| I send over some more specific steps on what must be done.
| October 23, 2023: They confirm receipt and are working on taking
| action. After this date and up until January 2, 2024, there were
| various back and forth emails trying to get Tata Motors to revoke
| the AWS keys. I am not sure if something was lost in translation,
| but it took a lot of pestering and specific instructions to get
| it done.
|
| Stay classy TCS.
| paxys wrote:
| This shouldn't be a surprise for anyone who has worked with TCS
| contractors in the past.
| yahoozoo wrote:
| Superpower by 2027.
| debarshri wrote:
| This is a pessimistic comment.
|
| I'm a cofounder of a data and identity security startup operating
| specifically in APAC. Data security in india a joke.
|
| I would argue even with DPDPA, RBI C-Site and cyber resilience
| framework from SEBI, it is just going to not happen here.
|
| The list PAN card the blog is taking about is probably already
| leaked by some other services.
|
| The recent flipkart cash on delivery scams [1] are example of how
| your personal information is just out there in wild in india,
| open for exploitation.
|
| There are lot of who do security in good faith (often driven by
| compliance) and lot of them are our customers too but I hope to
| see rest of indian tech ecosystem take security seriously.
|
| [1]
| https://www.reddit.com/r/FuckFlipkart/comments/1hhrw9w/what_...
| alephnerd wrote:
| I've dealt with Indian companies for security sales and I'd say
| the newer generation of companies like Razorpay (YC W15) are
| decent at SecOps, but the older and more established companies
| suck at it and will continue to suck at it until there is a
| tangible regulatory incentive to enhance security postures.
|
| It also appears to be a side effect of compensation - why would
| mid-career security professional want to earn [?]15 LPA TC
| working for a legacy corporation if they have the skills to
| land at a security MNC that can afford to pay [?]35-50 LPA in
| TC.
|
| Ofc, it's us foreign investors who are able to afford those
| higher TCs ;) - especially if we can convert someone who was
| mid-career in the US but had to return to India due to family
| or visa issues.
|
| It reminds me of how the Israeli security scene was 10-15 years
| ago, with similar problems around compensation and brain drain
| to MNC offices.
| connectsnk wrote:
| Are there any open source tools that scans the code and detects
| such gaffes
___________________________________________________________________
(page generated 2025-10-31 23:00 UTC)