Japanese auto giant Toyota Motor Corp. has confirmed a decade-long data leak via its big data and mobility affiliate, Toyota Connected Corp, affecting millions of customers.
Spanning from January 2012 to April 2023, the problem with Toyota’s cloud-based Connected service pertains only to vehicles in Japan, said spokesperson Hideaki Homma.
The company attributed the security lapse to a misconfigured database that allowed anyone to access the information without a password.
A decade-long Toyota Connected service data leak affected 2.15 million car owners
Toyota attributed the decade-long data breach to human error that left the cloud service publicly accessible without a password.
“It was found that some of the data that Toyota Motor Corporation entrusted to Toyota Connected Corporation (hereinafter referred to as “TC”) was publicly accessible due to a misconfiguration of the cloud environment,” reads the auto-translated statement.
Mark Stockley, a senior threat researcher at Malwarebytes, noted that the mass cloud migration was responsible for an avalanche of cloud misconfigurations.
“This is a prevalent and increasingly common issue,” Stockley said. “The wholesale move to The Cloud and “NoSQL” data storage has been accompanied by an avalanche of stories about leaky Amazon S3 buckets, Internet-exposed Elastic Search instances, and unsecured MongoDB databases.”
The Japanese automaker disclosed that the data leak affected customers who signed up on Toyota cloud platforms since 2012, including those using T-Connect, G-Link, G-Book, and Connected services.
T-Connect is a smart car service for voice assistance, car status monitoring, and customer service access.
The Toyota Connected service reminds owners to service their vehicles, links the car to entertainment services, and can assist during emergencies by calling for help and locating a car that’s been stolen.
Toyota exposed vehicle identification numbers, location, and video footage
The Toyota Connected service data leak exposed the vehicle identification number (VIN), location (and time), terminal ID, and video footage recorded by the vehicle.
Although hackers could not use the information to identify individual owners, they could track the vehicle locations using the VIN, while the video recording could jeopardize the owners’ privacy.
According to its statement, Toyota has no evidence that the information was leaked, copied, or misused. No car owner has reported any security incident from the Toyota Connected service data leak.
Nevertheless, Toyota regretted the “lack of active detection mechanism” that could have flagged the problem earlier.
“It’s no longer enough to just try and keep nefarious actors out, but you must be able to detect when they’re in or when something isn’t right,” said Camellia Chan, CEO and Founder at X-PHY.
Meanwhile, the company launched an investigation into all Toyota Connected cloud services and promised to educate its staff on data security practices.
The Prius hybrid and Lexus luxury automaker will also introduce a system to continuously monitor and audit its cloud configurations.
Toyota has also assured its customers that the problem was fixed, and owners could continue driving Connect-enabled vehicles without the need to bring them in for repairs.
Toyota promised to notify customers whose vehicle ID, chassis number, location information, or time was exposed.
Another failure in automotive cybersecurity
The data leak on the much-touted online service put the automaker’s cybersecurity practices on the spot when automakers worldwide are competing to integrate data for artificial intelligence-enhanced services.
The Toyota Connected service data leak also demonstrates how vulnerable automotive connectivity features could open a new attack surface for mass exploitation.
“In a world of interconnected devices operating on unknown vulnerability surfaces, it’s critical that businesses take a multi-layered, holistic cybersecurity approach that provides protection and detection at every level down to the hardware,” said Chan.
Early this year, researchers discovered software bugs in 16 car brands, including Mercedes-Benz, Porsche, Ford, and Toyota, that could allow hackers to control vehicles remotely and access personally identifiable information.
In October 2022, Toyota discovered it had mistakenly published T-Connect’s data server’s access keys on GitHub, potentially exposing 296,019 users’ personally identifiable information for five years.
Dror Liwer, a co-founder at Coro, recommended anonymizing and encrypting user data: “While this is a misconfiguration which may not have been exploited, there is no reason to take chances with customer data,” Liwer said. “But beyond encryption and anonymization, when storing data, the main questions should be why, and for how long.”
According to Liwer, clear data retention guidelines limit the magnitude of an unfortunate data breach.