An insecure backup protocol used by robotics firm Level One is to blame for leaking 157 gigabytes of sensitive data belonging major automakers, including Ford, Tesla and Toyota.
The data included 10 years of assembly-line schematics and control settings for robotics used to build the cars, along with internal ID and VPN-request forms.
To blame was rsync, which stands for “remote sync,” a common file transfer protocol used to mirror or backup large data sets, according to UpGuard Cyber Risk team that first reported the problem on Friday.
An attacker that compromised the service could use the data to “sabotage or otherwise undermine operations using the information present in these files; competitors could use them to gain an unfair advantage,” UpGuard researchers said, adding, “The sheer amount of sensitive data and the number of affected businesses illustrate how third- and fourth-party supply-chain cyber-risk can affect even the largest companies.”
A report released Monday on supply-chain attack readiness revealed 87 percent of businesses that had active measures to thwart software supply-chain attacks fell victim to one, despite defenses.
A total of seven auto companies were impacted by the data leak, including divisions of automakers Chrysler, Ford, GM, Tesla, Toyota and Volkswagen, along with automotive supplier ThyssenKrupp. Level One also inadvertently leaked its own internal data, including employee scans of driver’s licenses and passports, along with invoices, contracts, and bank-routing numbers and SWIFT codes.
Leaky backup services differ from insecure, misconfigured AWS and Mongo databases, which have gained a high profile as being often left accessible to anyone on the internet. Leaky rsync services are typically a result of permissions set on the rsync server. In the case of Level One, the rsync server was publicly writable.
“The rsync server was not restricted by IP or user, and the dataset was downloadable to any rsync client that connected to the rsync port,” UpGuard wrote. The analysts added, “[That means] someone could potentially have altered the documents there, for example replacing bank account numbers in direct deposit instructions, or embedding malware.”
rsync has been the culprit behind many high-profile supply-chain related leaks in the past years. In 2017, sensitive data was leaked by a Pentagon contractor. In the same timeframe, contractor Power Quality Engineering publicly exposed sensitive electrical infrastructure data belonging to the City of Austin, Dell Technologies, Freescale, Oracle, SBC and Texas Instruments.
“The supply chain has become the weakest part of enterprise data privacy. Companies that spend many millions a year on cybersecurity can still be exposed by a vendor who handles their data,” wrote UpGuard.