Cybersecurity and Car Makers
OOOOOPS...
By Charles Parker
Cars are an extension of our culture and society. Our persona is reflected in the vehicle we drive.
This can be technologically advanced or somewhat basic in the hardware and software included in the
model. One commonality seen with the models over the last estimated 10+ years has been connectivity.
In the future, these will be connected to each other, the infrastructure, and other sources. One aspect of
this now in use is the owner being connected to the vehicle. Each manufacturer has their own app for
this. These can be the Audi MMI Connect, AcuraLink, BMW Connected Drive, MyBuick, MyCadillac,
MyChevrolet, Genesis Intelligent assistant, and many others. These are very useful to the vehicle owner
now and this is improving with more functionality incorporated into the tool.
With an app, there is a full cycle of testing that generally is done to ensure (to the best of their
abilities) the vulnerabilities are identified through a TARA or other forms and mitigated pre-production.
Usually, this process is thorough unless you are there to check the box.
Toyota
Apparently, this process didn’t work so well for Toyota. They had a little issue that came to light
recently. There was a data breach with their online service, the Toyota cloud-based connected service
(G-link, G-Book, and Connected). This service is managed by Toyota Connected Corp. Over the 10+ years,
over 2.15 million vehicle’s data was available to unauthorized parties. The time frame for this was
January 2012 to April 2023.
Good news?
The good news, if there is any, is only vehicles from Japan during the period are affected, not
globally, which would have caused much more of an issue. There also haven’t been any issues noted
from the data being compromised, which could have taken the form of the data being misused or leaked
to third parties. With the ease of data transportability, this could have been much worse.
Risk
Data is the new oil. The value with this is vast with the data in total, and the many ways you can
slice it for the different customers. This included the vehicle identification number (VIN), vehicle location
& time stamp, terminal ID, and video footage. This may sound innocent enough. After all, what are you
going to do with a VIN and vehicle location?
An enterprising person might be able to identify individual owners with the data and footage.
They could build a file on the individual vehicle usage and location. If you happen to look into the
windshield, and take a quick picture of the VIN, the database could be searched for the VIN. With this
you have the address, and you can search the tax rolls for the owner’s name.
Cause
The cause for this was relatively simple. The service was left on for outside access for the cloud
instance, or this was set to public access instead of private. This was due to the misconfigured database.
This was basic human error. This happens more often than it should. With more companies moving to
the cloud in masses, this will continue to happen.
Post-Issue
The corporation set up employee training to increase cybersecurity awareness. They should
have turned this off as soon as it was released to the clients. They will also implement a service to also
audit the cloud instance setting to ensure this doesn’t happen again. While we hope this won’t occur
again, it probably will again, and again, and again…
Resources
Hope, A. (2023, May 19). Toyota connected service decade-long data leak exposed. 2.15 million
long-data-leak-exposed-2-15-million-customers/
Kageyama, Y. (2023, May 12). Toyota: Data on more than 2 million vehicles in Japan were at risk in
decade-long breach. https://www.local10.com/business/2023/05/12/toyota-data-on-more-
than-2million-vehicles-in-japan-were-at-risk-in-decades-long-breach/, https://ktla.com/ap-
business/toyota-data-on-more-than-2-million-vehciles-in-Jpaan-were-at-risk-in-decade-long-
vehicles-in18095682.php, &
million-vehicles-at-risk-in-decadeslong-breach
Todd, D. (2023, May 16). Toyota data leak affects 2.15 million customers.
About the author-
Charles Parker II has been working in the info sec field for over a decade, in the banking, medical, automotive, and staffing industries. Charles has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.
Comments