Recently, a researcher disclosed how he found the data from several top automakers exposed online. After ensuring his discovery was correct, that the carmakers suffered data breach, he reported the matter and the flaw was patched. (Sorry to all those curious cats out there!)
Trade Secrets And Other Data Exposed After Carmakers Suffered Data Breach
On July 20, 2018, a cybersecurity firm, UpGuard, made some shocking revelations in their blog post. Reportedly, several carmakers suffered data breach as a server exposed their data publicly online. According to their research, the server belonged to Level One Robotics, an Canadian engineering service provider firm. Those affected include more than 100 automakers including the top brands such as Tesla, Toyota, Ford, Volkswagen, and General Motors.
Explaining the source of the data breach, they wrote in their blog,
“The data was exposed via rsync, a common file transfer protocol used to mirror or backup large data sets. The rsync server was not restricted by IP or user, and the data set was downloadable to any rsync client that connected to the rsync port.”
The breached data, arranged in separate folders named after the automakers, included many sensitive details. As explained by UpGuard, it includes trade secrets, assembly lines and schematics, blueprints, and other sensitive details. Moreover, it also included employees’ data, as well as the documents related to Level One, such as contracts, customer agreements, etc. UpGuard has published several screenshots of exposed data in their blog post.
Level One Has Closed The Publicly Accessible Server
The researchers, after discovering the exposed data, contacted Level One officials regarding the matter. Fortunately, they closed the leaky server within a day. As stated in their blog post,
“On July 1st, 2018 the UpGuard Cyber Risk team discovered the exposed rsync server and began analysis. After ownership was determined, attempts to contact Level One were begun on July 5th. After successful contact with Level One on July 9th, the exposure was promptly closed by July 10th. Level One took the exposure very seriously and made every effort to shut it down immediately upon notification.”
Nonetheless, no one can assure if the hackers have not found this exposed data before. Commenting on the matter, Chris Vickery, Director Cyber Risk Research at UpGuard, and the one who found this data breach, said,
“That was a big red flag. If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available.”
This isn’t the first time that the automobile industry suffered a security threat. Previously, we reported how a vulnerability in Volkswagen’s IVI system could welcome remote hacking attacks.
Let us know your thoughts in the comments.