Connect with us

Hi, what are you looking for?

Business

Toyota: Data breach involving source code hosted on GitHub

This key allowed for potential (though neither confirmed nor denied) exposure of customer email addresses and management numbers.

Toyota image: — © AFP/File Behrouz MEHRI
Toyota image: — © AFP/File Behrouz MEHRI

The Toyota Motor Corporation is warning that customers’ personal information could have been exposed. This occurred after an access key was publicly available on GitHub for almost five years.

This relates to the official connectivity app used by vehicle owners that enables owners of Toyota cars to link their smartphone with the vehicle’s infotainment system.

Looking into this manufacturing related data issue for Digital Journal is Jason Kent, Hacker in Residence at Cequence Security.

Kent looks at the evolving news story, noting: “It looks like Toyota is next in line for a possible breach. After realizing they had an application programming interface (API) key exposed in their code base that ended up on GitHub, they had to go and perform the task of invalidating the key and figuring out what kinds of problems they need to go look for.”

API security refers to the process of protecting APIs from attacks. Since APIs are very commonly used, and because they enable access to sensitive software functions and data, these modes are becoming a primary target for attackers. Hence, API security is a key component of modern web application security

Looking into the specific details more toughly Kent finds: “Though security experts recommend periodic rotation of API keys, Toyota took a slightly different tactic and allowed the same key, the one exposed in source code, to be used for 5 years. From 2017 to 2022, that key dutifully provided administrative access to anyone that knew it.”

The consequence of this means: “This key allowed for potential (though neither confirmed nor denied) exposure of customer email addresses and management numbers. As a Toyota owner, it is quite possible that the email associated with my connected services has been learned.”

Toyota, the world's top-selling automaker, now forecasts an annual net profit of 2.36 trillion yen
Toyota, the world’s top-selling automaker, now forecasts an annual net profit of 2.36 trillion yen – Copyright AFP Kazuhiro NOGI

Kent continues: “The next possible step is to take over that account, learn the location of my vehicle and potentially unlock it or steal it. Though it would be useless without the key, the parts are still quite valuable.”

Kent adds further, in terms of adopting a suitable strategy for remediation: 2Leaving API keys to perform programmatic system access is an easy way to make things work, unless the key falls into the wrong hands. Rotate the keys when you can, ideally generate the key as needed. In either case, 5 years is way too long for an API key to last.”

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:

Business

Actors, crew, writers and producers have lost their homes; film and television productions have been temporarily halted.

Business

The equity sell-off tracked hefty losses on Wall Street, where all three main indexes finished more than one percent lower.

Tech & Science

The United States unveiled new export rules Monday on chips used for artificial intelligence.

Tech & Science

Apple was accused of abusing the dominant position of its app store at the start of a court trial in the UK, with plaintiffs...