Security researcher UpGuard Cyber Risk disclosed Friday
that sensitive documents from more than 100 manufacturing companies, including
GM, Fiat Chrysler, Ford, Tesla, Toyota, ThyssenKrupp,
and VW were exposed on a publicly accessible server belonging to Level One Robotics.
The exposure via Level One Robotics, which provides
industrial automation services, came through rsync, a common file transfer
protocol that’s used to backup large data sets, according to UpGuard Cyber
Risk. The data breach was first reported by the New
York Times.
According to the security researchers, restrictions weren’t
placed on the rsync server. This means that any rsync client that connected to
the rsync port had access to download this data. UpGuard Cyber Risk published
its account of how it discovered the data breach to show how
a company within a supply chain can affect large companies with seemingly tight
security protocols.
This means if someone knew where to look they could access
trade secrets closely protected by automakers. It’s unclear if any nefarious
actors actually got their hands on the data. At least one source at an affected
automaker told TechCrunch it doesn’t not appear that sensitive or proprietary
data was exposed.
UpGuard’s big takeaway in all of this: rsync instances
should be restricted by IP address. The researchers also suggest that user
access to rsync be set up so that clients have to authenticate before receiving
the dataset. Without these measures, rsync is publicly accessible, the
researchers said.
The breach exposed 157 gigabytes of data—a treasure trove
of 10 years of assembly line schematics, factory floor plans and layouts,
robotic configurations and documentation, ID badge request forms, VPN access
request forms. The breach even included sensitive non-disclose agreements,
including one from Tesla.
Personal details of some Level One employees, including
scans of driver’s licenses and passports, and Level One business data,
including invoices, contracts, and bank account details.
The security team discovered the breach July 1. The company
successfully reached Level One by July 9 and the exposure was closed by the
following day.
Click
here for the original article from Tech Crunch.