Connect with us

Hi, what are you looking for?

Business

Toyota: Data breach involving source code hosted on GitHub

This key allowed for potential (though neither confirmed nor denied) exposure of customer email addresses and management numbers.

Toyota image: — © AFP/File Behrouz MEHRI
Toyota image: — © AFP/File Behrouz MEHRI

The Toyota Motor Corporation is warning that customers’ personal information could have been exposed. This occurred after an access key was publicly available on GitHub for almost five years.

This relates to the official connectivity app used by vehicle owners that enables owners of Toyota cars to link their smartphone with the vehicle’s infotainment system.

Looking into this manufacturing related data issue for Digital Journal is Jason Kent, Hacker in Residence at Cequence Security.

Kent looks at the evolving news story, noting: “It looks like Toyota is next in line for a possible breach. After realizing they had an application programming interface (API) key exposed in their code base that ended up on GitHub, they had to go and perform the task of invalidating the key and figuring out what kinds of problems they need to go look for.”

API security refers to the process of protecting APIs from attacks. Since APIs are very commonly used, and because they enable access to sensitive software functions and data, these modes are becoming a primary target for attackers. Hence, API security is a key component of modern web application security

Looking into the specific details more toughly Kent finds: “Though security experts recommend periodic rotation of API keys, Toyota took a slightly different tactic and allowed the same key, the one exposed in source code, to be used for 5 years. From 2017 to 2022, that key dutifully provided administrative access to anyone that knew it.”

The consequence of this means: “This key allowed for potential (though neither confirmed nor denied) exposure of customer email addresses and management numbers. As a Toyota owner, it is quite possible that the email associated with my connected services has been learned.”

Toyota, the world's top-selling automaker, now forecasts an annual net profit of 2.36 trillion yen
Toyota, the world’s top-selling automaker, now forecasts an annual net profit of 2.36 trillion yen – Copyright AFP Kazuhiro NOGI

Kent continues: “The next possible step is to take over that account, learn the location of my vehicle and potentially unlock it or steal it. Though it would be useless without the key, the parts are still quite valuable.”

Kent adds further, in terms of adopting a suitable strategy for remediation: 2Leaving API keys to perform programmatic system access is an easy way to make things work, unless the key falls into the wrong hands. Rotate the keys when you can, ideally generate the key as needed. In either case, 5 years is way too long for an API key to last.”

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:

World

Meanwhile, just get out, now. This thing obviously means business.

Life

Internet personality Guilherme Werner chatted about representing Brazil in the 2024 Mister Universe competition.

Business

A Manila coal plant could be a model for how developing countries can quit polluting fossil fuel - Copyright AFP JAM STA ROSASara HUSSEINA...

Tech & Science

Sherlock Holmes fans are being promised a most authentic depiction of the fictional detective, with the restoration of a century-old silent film.