Thousands of documents detailing assembly line schematics, robotics configurations, and other trade secrets for automakers like Volkswagen, Toyota and Tesla were found on a publicly accessible server belonging to an automotive robotics supplier. It is potentially very bad news for these car companies, and here’s why.
This highly-sensitive data was available to be downloaded by anybody, so long as they knew where to look. Cyber Security firm Upguard, which specializes in finding unprotected data stores like this, discovered the flaw on July 1 and the offending supplier—Level One Robotics and Controls—had the hole patched by July 10.
While you or I might not be after schematics of Toyota’s assembly lines, production methods are some of the most important trade secrets in the industry. As Tesla has proven, mass producing cars requires a massive amount of institutional knowledge and expertise that upstarts would kill to access.
So important are some of these details that they’re actually the subject of strict nondisclosure agreements explaining their confidentiality, which were ironically also publicly available on this server.
“That was a big red flag,” Chris Vickery, the researcher who found the data, told the New York Times. “If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available.”
Not only was this data able to be downloaded, but according to Upguard, the permissions were set to allow anyone to write to the server. That means the data could be accessed, downloaded, and changed by anyone. Had they found it, malicious actors could have modified the routing numbers on direct deposit forms or embedded malware in the company’s servers.
While we don’t know whether anyone but Upguard did find and access the files, I’d imagine a lot of people at Level One and the automakers are panic-checking their important files around now.
These kinds of breaches are becoming increasingly common in the data security world, with third-party suppliers being a major point of entry for ne’er-do-wells. Per the New York Times:
Fifty-six percent of the businesses polled last year by Ponemon Institute, a security research firm, said they had at some point experienced a data breach linked to a vendor. The exposure only grows as more third-party companies gain access: The survey’s respondents said an average of 470 outside companies had access to their sensitive corporate information, up from around 380 a year earlier.
Given that the auto industry is particularly reliant on a sprawling supply chain, automakers may be at high risk for these kinds of breaches. While it isn’t the biggest security concern for car companies, an expert told the Times that it’s becoming a more salient issue for the industry:
The auto industry has a deep and complex supply chain, and third-party security risk is an area of growing concern, said Faye Francy, the executive director of the Automotive Information Sharing and Analysis Center, a trade group that focuses on cybersecurity.
Generally, automakers’ top security priority is vehicle risks, she said, such as vulnerabilities that could be used to attack a car’s critical components. Leaked corporate documents aren’t quite as fraught — “I doubt anyone is going to die over it,” Ms. Francy said — but the exposure of such information is still worrying.
“No one wants their data outside of their own company,” she said. “Anything that showcases how they manufacture is proprietary and competitive.”
Companies like Upguard try to spot these breaches before malicious actors access them, but ultimately the responsibility for data security lies with the company handling the information.
As more and more suppliers are granted access to proprietary information, automakers may have to start enforcing stricter security protocols if they want to keep information private.