top of page

Cybersecurity and Car Makers

OOOOOPS...

By Charles Parker


Cars are an extension of our culture and society. Our persona is reflected in the vehicle we drive.

This can be technologically advanced or somewhat basic in the hardware and software included in the

model. One commonality seen with the models over the last estimated 10+ years has been connectivity.

In the future, these will be connected to each other, the infrastructure, and other sources. One aspect of

this now in use is the owner being connected to the vehicle. Each manufacturer has their own app for

this. These can be the Audi MMI Connect, AcuraLink, BMW Connected Drive, MyBuick, MyCadillac,

MyChevrolet, Genesis Intelligent assistant, and many others. These are very useful to the vehicle owner

now and this is improving with more functionality incorporated into the tool.

With an app, there is a full cycle of testing that generally is done to ensure (to the best of their

abilities) the vulnerabilities are identified through a TARA or other forms and mitigated pre-production.

Usually, this process is thorough unless you are there to check the box.


Toyota

Apparently, this process didn’t work so well for Toyota. They had a little issue that came to light

recently. There was a data breach with their online service, the Toyota cloud-based connected service

(G-link, G-Book, and Connected). This service is managed by Toyota Connected Corp. Over the 10+ years,

over 2.15 million vehicle’s data was available to unauthorized parties. The time frame for this was

January 2012 to April 2023.


Good news?

The good news, if there is any, is only vehicles from Japan during the period are affected, not

globally, which would have caused much more of an issue. There also haven’t been any issues noted

from the data being compromised, which could have taken the form of the data being misused or leaked

to third parties. With the ease of data transportability, this could have been much worse.


Risk

Data is the new oil. The value with this is vast with the data in total, and the many ways you can

slice it for the different customers. This included the vehicle identification number (VIN), vehicle location

& time stamp, terminal ID, and video footage. This may sound innocent enough. After all, what are you

going to do with a VIN and vehicle location?

An enterprising person might be able to identify individual owners with the data and footage.

They could build a file on the individual vehicle usage and location. If you happen to look into the

windshield, and take a quick picture of the VIN, the database could be searched for the VIN. With this

you have the address, and you can search the tax rolls for the owner’s name.


Cause

The cause for this was relatively simple. The service was left on for outside access for the cloud

instance, or this was set to public access instead of private. This was due to the misconfigured database.

 

This was basic human error. This happens more often than it should. With more companies moving to

the cloud in masses, this will continue to happen.


Post-Issue

The corporation set up employee training to increase cybersecurity awareness. They should

have turned this off as soon as it was released to the clients. They will also implement a service to also

audit the cloud instance setting to ensure this doesn’t happen again. While we hope this won’t occur

again, it probably will again, and again, and again…


Resources

Hope, A. (2023, May 19). Toyota connected service decade-long data leak exposed. 2.15 million

long-data-leak-exposed-2-15-million-customers/

Kageyama, Y. (2023, May 12). Toyota: Data on more than 2 million vehicles in Japan were at risk in

than-2million-vehicles-in-japan-were-at-risk-in-decades-long-breach/, https://ktla.com/ap-

business/toyota-data-on-more-than-2-million-vehciles-in-Jpaan-were-at-risk-in-decade-long-

vehicles-in18095682.php, &

million-vehicles-at-risk-in-decadeslong-breach

Todd, D. (2023, May 16). Toyota data leak affects 2.15 million customers.


About the author-

Charles Parker II has been working in the info sec field for over a decade, in the banking, medical, automotive, and staffing industries. Charles has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.

Comments


Featured Posts
Check back soon
Once posts are published, you’ll see them here.
Recent Posts
Archive
Search By Tags
No tags yet.
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page