Honda’s Security ‘Soft Spots’ Exposed in Unsecured Database

A researcher said that he found a Honda ElasticSearch database exposing 40GB of internal system and device data.

An unsecured database belonging to Honda Motor Company was found leaking crucial information about its global systems, including which devices aren’t up-to-date or protected by security solutions.

The exposed ElasticSearch database contained approximately 134 million documents, and amounted to roughly 40GB of data belonging to Honda, one of the largest automobile manufacturers in the world. The data could have provided attackers with an easy map for locating the security “soft spots” of the company, said security researcher Justin Paine, who discovered the leaky database.

“The data contained within this database was related to the internal network and computers of Honda Motor Company,” he said in a Wednesday post about the incident. “The information available in the database appeared to be something like a inventory of all Honda internal machines. This included information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied and the status of Honda’s endpoint security software.”

The data appears to go back as far as March 13, and included information on a major endpoint security vendor that protects Honda’s machines (which Paine did not name), as well as which machines have the endpoint security software enabled and up-to-date – and more disturbingly, which machines do not have any endpoint security enabled at all, or are running older operating systems.

Honda security database leak

Employee personal and system data exposed in Honda database

“If an attacker is looking for a way into Honda’s network, knowing which machines are far less likely to identify/block their attacks would be critical information,” Paine said. “These ‘uncontrolled machines’ could very easily be the open door into the entire network.”

In addition to sensitive system information, Paine found a dataset including employee names, their email addresses, department, last login, employee numbers and account names. It also specifies employees’ machine IP address, MAC address, host name, operating system, machine type, endpoint security state and which Windows KB/patches had been applied.

One dataset also details the CEO’s full email, account name and employee ID, last login date, as well as device data such as MAC address, patching history, OS version, endpoint security status, IP and device type. Using this data, attackers could simply locate C-suite employees (such as the CEO or CFO) – and easily keep tabs on them to identify ways to launch targeted attacks, said Paine.

Paine, who stumbled on the database on July 4 via Shodan, said it was promptly secured after he contacted Honda about the incident on July 6. It appears the database was publicly accessible as early as July 1, he said.

In a statement shared by Paine, Honda said that there is no evidence that the data was leaked. Honda did not immediately respond to a request for further comment from Threatpost.

“The security issue… identified could have potentially allowed outside parties to access some of Honda’s cloud-based data that consisted of information related to our employees and their computers,” according to Honda’s statement. “We investigated the system’s access logs and found no signs of data download by any third parties. At this moment, there is no evidence that data was leaked…We will take appropriate actions in accordance with relevant laws and regulations, and will continue to work on proactive security measures to prevent similar incidents in the future.”

Insecure databases continue to be a security thorn in companies’ sides: In June for instance, three publicly accessible cloud storage buckets from data-management company Attunity leaked more than a terabyte of data from its top Fortune 100 customers – including internal business documents, system passwords and sensitive employee information. In May, IT services provider HCL Technologies inadvertently exposed passwords, sensitive project reports and other private data of thousands of customers and internal employees on various public HCL subdomains. And in April, hundreds of millions of Facebook records were found in two separate publicly exposed app datasets.

Interested in more on patch management? Don’t miss our free Threatpost webinar, “Streamlining Patch Management,” now available on-demand. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Click here to listen (registration required).

Suggested articles

45 Million Medical Images Left Exposed Online

45 Million Medical Images Left Exposed Online

A six-month investigation by CybelAngel discovered unsecured sensitive patient data available for third parties to access for blackmail, fraud or other nefarious purposes.