The Toyota Motor Corporation is warning that customers’ personal information could have been exposed. This occurred after an access key was publicly available on GitHub for almost five years.
This relates to the official connectivity app used by vehicle owners that enables owners of Toyota cars to link their smartphone with the vehicle’s infotainment system.
Looking into this manufacturing related data issue for Digital Journal is Jason Kent, Hacker in Residence at Cequence Security.
Kent looks at the evolving news story, noting: “It looks like Toyota is next in line for a possible breach. After realizing they had an application programming interface (API) key exposed in their code base that ended up on GitHub, they had to go and perform the task of invalidating the key and figuring out what kinds of problems they need to go look for.”
API security refers to the process of protecting APIs from attacks. Since APIs are very commonly used, and because they enable access to sensitive software functions and data, these modes are becoming a primary target for attackers. Hence, API security is a key component of modern web application security
Looking into the specific details more toughly Kent finds: “Though security experts recommend periodic rotation of API keys, Toyota took a slightly different tactic and allowed the same key, the one exposed in source code, to be used for 5 years. From 2017 to 2022, that key dutifully provided administrative access to anyone that knew it.”
The consequence of this means: “This key allowed for potential (though neither confirmed nor denied) exposure of customer email addresses and management numbers. As a Toyota owner, it is quite possible that the email associated with my connected services has been learned.”
Kent continues: “The next possible step is to take over that account, learn the location of my vehicle and potentially unlock it or steal it. Though it would be useless without the key, the parts are still quite valuable.”
Kent adds further, in terms of adopting a suitable strategy for remediation: 2Leaving API keys to perform programmatic system access is an easy way to make things work, unless the key falls into the wrong hands. Rotate the keys when you can, ideally generate the key as needed. In either case, 5 years is way too long for an API key to last.”