A clumsy error reveals sensitive documents from over a hundred automakers

The sensitive documents of more than one hundred companies engaged in the development and construction of cars – including Fiat Chrysler, Ford, GM, Tesla, Toyota, ThyssenKrupp and Volkswagen – have been leaked. This is because at Level One Robotics a server has turned out to be public, where these documents were.

UpGuard Cyber ​​Risk researchers report this to the New York Times. Level One Robotics provides industrial automation services to automakers. The files were exposed due to problems with rsync, a protocol for data transfer. According to the researchers, no restrictions were imposed on the rsync server. This allowed any rsync client to be connected to the rsync port and download the data.

Secret of Public Trade

UpGuard Cyber ​​Risk has published information on how its researchers discovered data leakage. It also explains how a link within an extended supply chain can have a major impact on huge companies with seemingly strict security measures. A small mistake can therefore reveal secret data and trade secrets.

In this case, this specifically means that the data of the vehicle manufacturers have been potentially disclosed. It is not certain that the data was captured by anyone other than the researchers at UpGuard Cyber ​​Risk. An automaker reports to TechCrunch that it does not appear that the data were captured by other parties

Multiple Measurements

The main problem in the case of Level One Robotics is that it is not possible to use the data. he forgot to have access to rsync. server to an IP address. To avoid problems with these relatively small types of errors, the researchers recommend that access to rsync servers also be tied to certain authentication requirements.

Therefore, people with the correct IP address must always log in to access the datasets. get. Without this type of measurement, the data on the rsync server is essentially on the street. Level One Robotics had 157 gigabytes of data and ten years of information on the layout of factories, how robots are configured, and many other sensitive documents.

The data leak was discovered on July 1st. UpGuard Cyber ​​Risk finally needed until July 9 to find someone inside Level One Robotics, after which the leak was closed on July 10th.