Connect with us

Hi, what are you looking for?

Business

Toyota: Data breach involving source code hosted on GitHub

This key allowed for potential (though neither confirmed nor denied) exposure of customer email addresses and management numbers.

Toyota image: — © AFP/File Behrouz MEHRI
Toyota image: — © AFP/File Behrouz MEHRI

The Toyota Motor Corporation is warning that customers’ personal information could have been exposed. This occurred after an access key was publicly available on GitHub for almost five years.

This relates to the official connectivity app used by vehicle owners that enables owners of Toyota cars to link their smartphone with the vehicle’s infotainment system.

Looking into this manufacturing related data issue for Digital Journal is Jason Kent, Hacker in Residence at Cequence Security.

Kent looks at the evolving news story, noting: “It looks like Toyota is next in line for a possible breach. After realizing they had an application programming interface (API) key exposed in their code base that ended up on GitHub, they had to go and perform the task of invalidating the key and figuring out what kinds of problems they need to go look for.”

API security refers to the process of protecting APIs from attacks. Since APIs are very commonly used, and because they enable access to sensitive software functions and data, these modes are becoming a primary target for attackers. Hence, API security is a key component of modern web application security

Looking into the specific details more toughly Kent finds: “Though security experts recommend periodic rotation of API keys, Toyota took a slightly different tactic and allowed the same key, the one exposed in source code, to be used for 5 years. From 2017 to 2022, that key dutifully provided administrative access to anyone that knew it.”

The consequence of this means: “This key allowed for potential (though neither confirmed nor denied) exposure of customer email addresses and management numbers. As a Toyota owner, it is quite possible that the email associated with my connected services has been learned.”

Toyota, the world's top-selling automaker, now forecasts an annual net profit of 2.36 trillion yen
Toyota, the world’s top-selling automaker, now forecasts an annual net profit of 2.36 trillion yen – Copyright AFP Kazuhiro NOGI

Kent continues: “The next possible step is to take over that account, learn the location of my vehicle and potentially unlock it or steal it. Though it would be useless without the key, the parts are still quite valuable.”

Kent adds further, in terms of adopting a suitable strategy for remediation: 2Leaving API keys to perform programmatic system access is an easy way to make things work, unless the key falls into the wrong hands. Rotate the keys when you can, ideally generate the key as needed. In either case, 5 years is way too long for an API key to last.”

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:

Tech & Science

According to the fixed speeds in December 2022-2023, New Brunswick registered a median download speed of 191.23 Mbps, making it the fastest province in...

World

Israeli army vehicles, seen from Israel leaving the Gaza Strip - Copyright AFP Menahem KAHANAAdel Zaanoun with Mathieu Gorse in JerusalemMediators in Cairo made...

World

Russian attacks killed one person in Ukraine's Kherson region on Sunday as the toll from a drone strike in the city of Odesa climbed...

Business

Data showed that around 23 percent of Canadians agreed that e-wallets have a potentially reckless influence on their spending.