Data Exposure Hints at Risks to Automakers

A report that a robotics company exposed data about hundreds of automakers and parts suppliers on the Internet highlights security dangers that could grow as cars become more automated and connected.

Cybersecurity company UpGuard reported that it had discovered data from GM, Ford, Fiat Chrysler, Toyota, Volkswagen, Tesla and other companies accessible on the open Internet. Much of the information was confidential, including non-disclosure agreements that described the sensitivity of certain kinds of data. UpGuard’s research didn’t determine whether any of the data had been improperly downloaded.

Level One Robotics and Controls, a small supplier of manufacturing technology based in Canada, inadvertently exposed the 157GB of data on a network-attached storage device by configuring a server in an insecure way, said Chris Vickery, UpGuard’s director of cyber risk research. Anyone using a certain file transfer protocol could have seen or even modified the data, he wrote in a blog post.

In a statement e-mailed to The Connected Car, Level One said it has taken the storage device offline.

“I can confirm that on July 9th, we were made aware of a claim from UpGuard about an incident involving access to a single back-up drive which contained various data,” Level One President and CEO Milan Gasko said. “As soon as we were informed, we took the back-up drive offline, which immediately eliminated the access.”

Level One has hired forensics experts to investigate the claim, determine what data may have been accessible by whom and when, and strengthen the company’s systems, Gasko said.

Level One’s alleged error exposed files such as factory floor plans, assembly-line schematics and robotic configurations and documentation, plus personal information about some Level One employees, according to UpGuard. The incident shows how the complex web of partnerships behind every vehicle may expose automakers to risk through third-party and even fourth-party companies, Vickery told The Connected Car. As cars get more connected and automated, the risks from attackers exploiting a vulnerability somewhere in the supply chain are likely to grow, he said.

If the ten years’ worth of data left unsecured in this case had gotten into the wrong hands, it might have allowed attackers to sabotage factories, he said. The personal data that was exposed, including copies of passports, driver licenses and applications to Level One’s customers for security badges and VPN access, might have been used to infiltrate companies through “social engineering” techniques, he added.

While safety and automation systems in vehicles face different kinds of risks than factory equipment does, linking cars to networks and making them partly or fully autonomous creates more potential paths for attackers to use if they infiltrate automotive companies, Vickery said. Older cars, under human control and not connected to digital networks, are less vulnerable.

The data at Level One was exposed because of the way Level One configured rsync, a file transfer protocol commonly used to mirror or back up large data sets, Vickery said. In this case, access over rsync wasn’t limited by user or Internet Protocol address, so any rsync client could have connected to the server and downloaded data, he said.

One way companies might reduce the risk of such mistakes by their partners is by allowing both parties to test access to data related to their partnership, Vickery said. For example, if a company knew the address of a partner’s rsync server, it could at least test whether trying to access it from a random IP address would succeed.

Also, UpGuard sells a product for managing security risks across a supply chain, he said.

— Stephen Lawson is a freelance writer based in San Francisco. Follow him on Twitter @sdlawsonmedia.

Leave a comment

Your email address will not be published. Required fields are marked *