(July 1st, 2018) During a routine scour of the internet and its vulnerabilities, the team at UpGuard’s Cyber Risk Division discovered an exposed server containing sensitive information belonging to several major automobile manufacturers.
Over 150 gigabytes of sensitive data including non-disclosure agreements, invoices, scopes of work, client ID badges, VPN credentials, and employee data were all contained within the exposed server. Furthermore, the data included detailed CAD drawings of both the machines used to build cars on the production line, as well as certain car parts – a significant competitive threat towards the affected businesses. Included in this breach were major automobile giants such as Toyota, Volkswagen, Ford, Chrysler, GM, Tesla, and ThyssenKrupp.
UpGuard’s Cyber Risk team quickly determined the exposed server belongs to Canadian robotics automation company Level One, and within five days of finding the vulnerability, they began attempts to contact Level One.
The exposure can be attributed to Level One’s protocol for large data transfers, typically for backing up archived data or syncing their files across workstations. Level One uses a commonly deployed cloud tool called Rsync, which can leave significant vulnerabilities if not configured correctly.
Rsync’s major insecurities can be derived from improper configuration of the system. In this instance, Rsync should be restricted to specific IP addresses of the clients that should be able to access the system – which it was not. Additionally, Rsync should require some form of user authentication before actually pulling any data from the system. Since these two measures were not taken to secure the Rsync server at Level One, not only was their customer, employee, and internal data accessible to the public, but it was also modifiable by the public.
It is unknown if any of the data was modified or stolen, but Level One was very quick to patch the vulnerability upon notification of the breach. Within 24 hours of being contacted by UpGuard’s Cyber Risk team, on July 10th the exposure was patched by Level One.
Ultimately, the consequences of such a wide breach of data will only be fully realized in time. There is a possibility that no one found and exploited this vulnerability before UpGuard did, but there is no way to say for sure. What we do know is that due to a lack of authentication process and IP restrictions in the supply chain, 157 gigabytes of sensitive information were made public. What this tells us is that the supply chain itself poses a great threat to data security for enterprise-level organizations. No matter how much your enterprise may invest in top-tier security, you will always be vulnerable to the risk of a security breach if you do not maintain a standard protocol for data management across all third parties that handle your data.
Contact the Packetlabs team to learn more about how we can uncover hard-to-find vulnerabilities in your network before you hit the newspaper.