In today’s evolving threat landscape, attackers are strengthening their social engineering efforts using human-centric activities. Follow this article to know how negligent actions led cybercriminals to one of the biggest automakers worldwide, Toyota’s server.
Through a notification, Toyota Motor Corporation recently warned its customers that their personal information might have gotten exposed after finding out about a publicly available access key on GitHub, which has been available for almost five years.
Toyota T-Connect, the global giant’s official connectivity app, allows Toyota car owners to connect their smartphone to the car’s infotainment system for music, navigation, phone calls, notifications integration, engine status, fuel consumption, driving data, etc.
Toyota recently discovered that the T-Connect site source code portion was mistakenly published on GitHub, containing an access key to a data server that stored customers’ e-mail addresses and management data. The notification states that the published source code enabled unauthorized third-party access to the details of 296,019 customers from December 2017 to September 15, 2022.
The notification further reads that a development subcontractor may have caused the error, but Toyota accepted the responsibility for the mishandling of data and apologized for the inconvenience. The Japanese automaker notes that it cannot rule out the possibility that someone accessed or stole the data.
“Concluding an investigation by security experts, although we cannot confirm third-party access based on the data server’s access history. However, we cannot completely deny it,” the notice explains (machine translated).
Steps Toyota Took to Control the Damage
On September 17, 2022, Toyota restricted access to the GitHub repository and changed the database’s keys, denying further access to all unauthorized third parties. Toyota reassured its customers that customer names, phone numbers, and credit card data were not compromised because they were not stored in the exposed database.
Furthermore, the Japanese automaker advised its T-connect users. They registered from July 2017 to September 2022 to maintain vigilance against phishing scams and refrain from opening suspicious e-mail attachments claiming to be from Toyota.
A Wake-Up Call for Developers
Symantec’s security analysts believe such incidents are becoming a large-scale problem that places huge amounts of sensitive data at risk of exposure. As Toyota mentioned in the notification, the incident resulted from developer negligence who preferred to tread the easy way while testing multiple app iterations. They store credentials in the code and make service access, configuration updating, and asset fetching quick and easy.
They must remove these credentials when they finalize the software for actual deployment, but as evident from the Toyota breach, the developers did not do due diligence.
To combat the problem, GitHub is now scanning published code for secrets; however, if a developer uses custom tokens or non-standard access keys, it cannot detect them by default. Symantec highlighted the following reasons why developers may unwantedly cause the issue:
- Downloading or uploading resources and assets required for the app, usually large recordings, media files, or images
- Accessing the app’s configuration files and collecting device information, storing it in the cloud
- Accessing cloud services requiring authentication, like translation services
- Dead code, No specific reason, or information used for testing but never removed
Steps to Protect Against Such Issues
Organizations must protect themselves from such vulnerabilities by:
- Adding security scanning to the app development lifecycle. It can help highlight potential issues.
- Organizations using an outsourced provider must require and review Mobile App Report Cards to identify any unwanted vulnerabilities or app behaviors for every mobile app release.
- App developers must look for a report card scanning both SDKs (software development kits) and frameworks in their application and identify the source of unwanted behaviors or any vulnerabilities.
- Customers/Employees must remain vigilant when they receive suspicious e-mails. They must verify the sender’s authenticity before opening any link/ attachment contained in the e-mail.
What The Experts Are Saying
Sam ‘Frenchie’ Stewart, CEO, Frenchie InfoSec.
Stripping unnecessary data from IT systems is the best way to avoid sensitive data exposure. While consumers must be encouraged to be mindful of what details they share online, the responsibility in the Toyota incident lies with the organizations entrusted with phishing protection.
Sam referred to the Canadian-British author and journalist Corey Doctorow’s remark from 2008: “Organizations must treat data like radioactive waste, only collecting the absolute minimum personal information, and investing in adequate safeguards to protect their customers’ privacy.”
“Organizations can’t leak data they don’t collect, so I want to see them adopting the data minimization trend and becoming proactive about taking customer privacy seriously,” he added.
Jordan Schroeder, managing CISO, Barrier Networks
“Such secure development errors plague enterprises today, and their customers pay the price after attackers discover the error and compromise data and systems.”
He suggests that addressing these weaknesses requires organizations to implement secrets management so that experts can pull access keys from secured secrets servers and they are not hard coded into the app or software.
Thus, organizations can prevent such incidents by locking down the development cycle to prevent public access and defining automated code repository access and security reviews (including searching the internet for code snippets indicating source code leakage).”
It is not the first time Toyota is facing such an incident. In March 2022, it was forced to halt production at all Japanese plants after a key supplier became the victim of a ransomware attack.
Chris Clements, VP (Solutions Architecture), Cerberus Sentinel
“It’s worth noting how much potential damage a simple mistake can cause, and the mistake can take years to identify!”
He further added that it was not the first time an organization had private information potentially exposed by uploading passwords or secret keys to public code repositories. “The Toyota breach points to the grim challenge that data proliferation presents.
Every data copy from employees to subcontractors opens another avenue for inadvertent disclosure. Thus, heavily securing and monitoring your main storage location is of little use if a user can copy the data to a cloud service outside your control,” he remarked.
Roger Grimes, defense evangelist, KnowBe4
“It is a common password threat scenario. It is estimated that numerous exposed passwords are up on GitHub, waiting for a user who accesses the source code to reveal it.”
He added that example projects confirmed that passwords in GitHub uploaded code were accessed and used against the victim organization in less than 30 minutes. Grimes advises developers to remember that production, active passwords into source code are not allowed. They must realize that including passwords in source code (even for testing) is like running with scissors and will not lead to any good outcome.
Verizon’s 2022 Data Breaches Investigations Report noted that 82% of data breaches happen due to a human element. So how to deal with such issues? Like most cybersecurity aspects, there are no easy answers because it is not an easy problem.
However, enterprises must adopt a cultural approach to cybersecurity, which is integral to every business process. The solution to such threats is the defense-in-depth combination of policies, education, and technical tools to prevent errant passwords from getting left in the source code.