Toyota hacked again but this time it was a security researcher with no ill intent
Toyota Motor Co. has been hacked again, but fortunately for the Japanese car giant, this time the hacker was a security researcher with no ill intent.
Security researcher Eaton Zveare said Monday that he gained access to Toyota’s Global Supplier Preparation Information Management System in October. The system is a web app used by Toyota employees and their suppliers to coordinate projects, parts, surveys, purchases and other tasks related to the global Toyota supply chain.
System admin access was gained through a backdoor as part of a user impersonation/”Act As” feature. Zveare claims that any user could be logged in by just knowing their email, completely bypassing corporate login flows.
Having entered the system using the backdoor, Zveare had read and write access to the system’s global user directory of more than 14,000 users. The access included confidential documents, projects, supplier rankings and comments, and other internal information.
Zveare disclosed his findings to Toyota in November and the company subsequently fixed the issue in a timely manner.
The problem is that Zveare was able to gain access in the first place. Toyota may not be as bad as serial failed security offenders such as T-Mobile USA Inc. or LastPass, but it does have fairly regular security breaches, whether direct or across its supplier network. Then there was the time in October when it left access keys on GitHub.
In March, Toyota was forced to halt manufacturing operations at all of its plants in Japan after a cyberattack struck a major component supplier. The supplier, Kojima, was directly connected to Toyota via Toyota’s kanban just-in-time production control system and there was concern that the attack could also spread to Toyota’s system.
The same month, data was stolen from Denso Corp., a global automotive manufacturer based in Japan that is also 25% owned by Toyota. The Pandora ransomware gang claimed responsibility and said it had stolen 1.4 terabytes of data belonging to Toyota.
“What is perceived as ‘internal systems’ to organizations no longer is,” Dror Liwer, co-founder of cybersecurity company Coro Cyber Security Ltd., told SiliconANGLE. “With partners, suppliers and employees collaborating via the internet – all systems should be considered external, and as such, protected against malicious intrusion. Being at the top of the food chain, this security lapse is a minor PR inconvenience. Had it been discovered in one of Toyota’s suppliers, rest assured the supplier could have lost Toyota as a customer.”
Lorri Janssen-Anessi, director of external cyber assessments at cyber defense platform provider BlueVoyant LLC, said that “what today’s organizations should take from the reported vulnerability in Toyota’s supplier management network is a firm reminder to look at their own vendor and supplier cybersecurity — after all, Toyota wasn’t the first company to experience an incident like this and sadly won’t be the last either.”
“Organizations need to consider access control and user account privileges,” Janssen-Anessi explained. “With Toyota’s reported issue, anyone with a valid email was given access to everything in a portal. Instead, organizations should only provide employees and third parties with access to the data needed for their role. This helps to control what data can be accessed in the event of a breach.”
Photo: Shuets Udono/Wikepedia Commons
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU