Revolutionary data reveals trade secrets for major automakers. GM and Ford …

A security researcher at UpGuard Security Services revealed a security vulnerability that allowed him to find tens of thousands of sensitive documents for large industrial companies – including most car manufacturers – on an unprotected backup server . These documents included equipment for more than 19459003 companies that deal with the Canadian company Level One Robotics, which provides industrial automation services to businesses, according to a New York Times report.

The security researcher stated that these documents were found on the backup server of the Canadian company, that it does not require any pbadword or access authorization and that any person connected to downloading material the size of containing about 47,000 records containing trade secrets for a number of companies such as Fiat Chrysler, Ford, General Motors, Tesla, Toyota and Volkswagen.

Car manufacturers such as GM, Ford, Tesla, Toyota and Volkswagen are doing their best to keep their technical information secret. The details of badembly line machines and automation processes are among the most sensitive trade secrets of the industry.

Approximately 157 GB of data is detected, including 10 year badembly lines, original drawings, documentation and robotics machine parameters, application forms, and more. identification, VPN access modules, NDA – detailing the sensitivity of the information disclosed.

The data also includes the personal data of some Level 1 employees, including photocopies of driver's licenses, pbadports and Tier 1 customer data, including business plans, invoices, contracts and Bank details.

This discovery was first discovered this month by Chris Vickery, security researcher at UpGuard, who said: "This is one of the worst disclosures of sensitive data in cybersecurity up to now Business of large industrial enterprises Of course, if you find the term "NDA" on a document, you immediately know that you have found something that is not supposed to be available for all

The term NDA is the abbreviation of the Non-Disclosure Agreement: the Non-Disclosure Agreement, which is an agreement between two or more parties and states that certain confidential information must be shared only between the parties to the contract and prohibited disclosure For the public

It was not clear if anyone else had seen or downloaded this unprotected data, which included some information person lles for level one employees and the business secrets of the companies you are dealing with. Vickery told the Canadian company in the last week, and this unprotected information has already been withheld in a day. However, unintentional disclosure of customer data shows a major problem faced by large companies and is subject to significant security risks through their suppliers and foreign companies that deal with them.

The data was detected by entering the Canadian company Level One Robotics site by accessing the rsync protocol, a common file transfer protocol that uses for backing up large sets of files. data

According to the security researchers, no restriction was imposed on the server rsync by IP address or user name, which means that all rsync client connected to the rsync port had access to download this data, and This large amount of sensitive data and the number of affected businesses demonstrates how the e-risks of the third and fourth part of the chain of Supply can affect larger companies.

UpGuard published the details of the event in a publication on his blog titled How Did the Robot Manufacturer Show Confidential Data for Major Manufacturers? Emphasizing that if anyone knows the place of research will be able to access trade secrets protected by car manufacturers because of an error from the supplier company.

In 2013, the worst data breach occurred because of the vendor's fault, when Target Stores confirmed that the hackers had seized approximately 40 million credit card numbers and a credit card. reduction used in its stores The attackers reached this data by penetrating one of the subcontractors of heating and ventilation systems of Target, then by using stolen information coming from this company to access the Target systems and to penetrate it. .

Last month, Ticketmaster Ticketmaster revealed that payment information for thousands of customers had been stolen recently in a hacked event because of a dangerous program of Inbenta, Customer Support on the TicketMaster website.

56% of the companies that participated in last year's survey conducted by the Ponemon Institute for Security Research stated that they were sometimes exposed to a loophole because of the suppliers and that they increased their probability of penetration. Companies surveyed: An average of 470 external companies had access to sensitive information about companies compared to 380 companies a year ago.

Larry Bonmon, founder of the research company, said, "Executives have begun to recognize that some of their relationships with third parties create unreasonable security risks."

"The automotive industry has a deep and complex supply chain and the security risks of third parties are of growing concern," said Faye Francy, executive director of the Center for Analysis. and sharing information about cars.

Milan Gasko, chief executive officer of the Canadian company Level One, declined to discuss the details of the incident at the time these confidential documents were leaked. The company said it was taking these allegations seriously and was working to investigate the nature, extent and ramifications of the accident. This data disclosure, he added: "In order to maintain the integrity of this investigation, we will not comment for the moment."

Founded in 2000 in Windsor, Canada, Level One opened a US office six years later in Detroit that provides engineering services focused on robotics and automation for manufacturing companies.

Representatives of General Motors, Toyota and Volkswagen declined to comment on the disclosed data, while Fiat did not respond to requests for comments from Chrysler, Ford and Tesla.

Final Conclusion

The supply chain has become the weakest part of private data protection: companies that spend millions of dollars a year on cybersecurity are still exposed at the risk of a supplier manipulating their data, the severity of the supply chain on the expansion of the third and fourth parts that deal with the company data sets.

All of these providers have their own processes and systems that determine the extent of data protection. Businesses and their suppliers must therefore have standardized deployments that create and maintain badets securely, reducing the risk of data breach. If this security is not included in the same processes, there will always be configuration errors that will compromise the data.

They should also have a response plan in case of data breach, so that they can act quickly to solve the problem when they are exposed to an incident, as has the level one in this case.

Level One Robotics works with customers and other suppliers as required by the manufacture and sale of robots. This system is very easy to jeopardize the entire chain in the case of a single unprotected and well protected link.