Honda Motor Company has left 40GB of internal system and device data exposed to potential attackers. The company has conceded that there was a vulnerability, but maintains that there was no unauthorised access of the data.
Justin Paine, director of trust and safety at Cloudflare, wrote about stumbling upon an ElasticSearch database without any authentication, which turned out to be a database related to the internal network and computers of Honda.
"The information available in the database appeared to be something like an inventory of all Honda internal machines. This included information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda's endpoint security software," he wrote.
The exposed ElasticSearch database contained approximately 134 million documents totalling some 40GB of data. Honda promptly secured the database after Painehe notified the company.
"What makes this data particularly dangerous in the hands of an attacker is that it shows you exactly where the soft spots are," he said, refraining from naming the major endpoint security vendor that protects Honda's machines.
"This data contained enough identifiable information to make it extremely simple to locate specific high value employees (such as the CEO, CFO, CSO, etc). In the hands of an attacker this leaked data could be used to silently monitor those executives to identify ways to launch very targeted attacks," he explained.
"This is a hacker's dream, a treasure trove of the most sought after information. Whoever has it, can own Honda's network. While it is unclear if this data has already been accessed by someone maliciously, it does highlight a concerning flaw in the security practices of Honda," said Igor Baikalov, chief scientist at Securonix.
Responding to Paine’s alert, Honda assured that there had been no third-party access.
"The security issue you identified could have potentially allowed outside parties to access some of Honda’s cloud-based data that consisted of information related to our employees and their computers. We investigated the system’s access logs and found no signs of data download by any third parties," said Honda’s statement, which was shared by Paine.
Honda faced a similar incident in India in May 2018, after an affiliate left two Amazon S3 buckets misconfigured for more than a year.
Kromtech Security Center, which discovered two public unsecured AWS S3 Buckets belonging to Honda Car India, found unprotected databases containing the personal information for over 50,000 users of it's Honda Connect App.
Two months later, sensitive documents belonging to peers GM, Fiat Chrysler, Ford, Tesla, Toyota, and Volkswagen were exposed on a publicly accessible server belonging to industrial automation vendor Level One Robotics.
In all these instances, vulnerabilities were discovered in the production and supply chains.
"The sheer amount of sensitive data and the number of affected businesses illustrate how third-party and fourth-party supply chain risk can affect even the largest companies," wrote Upguard, the Australian cyber-security startup that discovered the vulnerability at Level One Robotics.
"The automation and digitisation of manufacturing has transformed the industry, but it has also created a new area of concern for industries, and one that must be taken seriously for organisations to thrive in a healthy digital ecosystem," it added.
"There are three pillars of information security - people, process and technology; very much in that order. In this scenario it may have been a simple oversight by the person(s) responsible for the database," wrote Bitglass regional director Steve Armstrong in an email to SC Media UK.
"Robust policy and user training may have helped to reduce the likelihood of this data exposure - technology would have, potentially, alerted Honda to the issue and allowed them to remediate," he added.