Toyota’s Global Supplier Preparation Information Management Network (GSPIMS) hacked!

The hacker and researcher behind the pseudonym EatonHacks disclosed a serious vulnerability in one of Toyota’s web applications. In the end, they had full access to internal projects, confidential documents, and user accounts, including accounts from suppliers/external partners, such as Michelin, Continental, Stanley Black & Decker, HARMAN, and many more.

What happened? Eaton stumbled upon the Toyota GSPIMS website without knowing what it is. Googling only told Eaton that there are some job listings about it. The researcher first tried to modify the JavaScript code to get past the login page, yet the Toyota website detected this unauthorized access and denied it due to the missing authentication cookie. Before abandoning the webpage and considering it as secure, Eaton found something in the code: the generation of the JSON Web Token (JWT) used to for authorization (e.g., prove that you are allowed to access secured parts of the website) only requires a valid email address, no password. Consequently, Eaton succeeded in logging in and escalating their access to system admin.

Eaton emphasizes that a serious threat actor could get permanent access by creating their own user with elevated roles in case the login issue gets fixed, could download and publish all their data, delete or modify this data, and crafting targeted phishing attempts to even go further. In conclusion, the extent to which this vulnerability could be exploited by a serious threat actor could have led to severe consequences for Toyota, its suppliers, and their customers.

Eaton praised Toyota’s efforts in responding to the disclosed vulnerability and the fast fix – Out of all the security issues I have reported so far to various vendors, Toyota’s response was the fastest and most effective. I was very impressed with how quickly they responded and fixed the issue. Some companies can be slow to respond or fail to respond at all, so this experience was refreshing., Eaton says.

Toyota was lucky that Eaton chose to responsibly disclose their findings even though Eaton earned 0$ for finding and disclosing this critical issue.

Hyundai and Kia fix is out!

After several months and headlines, Hyundai announced to roll out a free software update addressing a flaw in their anti-theft software which was shared all over social media (and requiring only a USB cable) leading to an increased number of car thefts (and violence) all over the world. In addition to this update, Hyundai will also provide anti-theft stickers to their customers. The US NHTSA attributed at least 14 reported crashes and eight fatalities to this TikTok challenge exploiting this vulnerability.

Initially Hyundai didn’t see it as their fault that they didn’t include an engine immobilizer in their base model, however, opposing arguments are that this is a standard equipment on nearly all vehicles from other manufacturers. Hyundai later emphasized that all vehicles after November 2021 have come with an immobilizer in their base models, just not the earlier models. After several cities, and government departments and agencies were putting more pressure on Hyundai, they offered a security kit for 170 Dollars excluding installation and labor costs. To illustrate the extent to which car thefts increased, the Milwaukee police report states that 469 Kias and 426 Hyundais were stolen in 2020, in 2021 the numbers were 3557 respectively 3406. Some insurance companies like State Farm even reacted on this and started to blacklist certain Hyundai vehicles from being added to insurances. And now finally a fix is out.

How did they fix it? Locking the car will automatically trigger the “ignition kill” feature meaning that the vehicle cannot be started when it is locked as it is the case of the TikTok challenge, which requires someone to first breaking into the locked car. Only unlocking the car with the key fob disables this feature and consequently allows to start the engine.

Comment: The issue in this case is mainly physical security, rather than cybersecurity which we are usually focusing on, but it highlights that customers need to be made aware of such missing features when buying their car. Similarly, it could be advertised how cybersecurity is addressed in models, how long they will receive security updates and such. A first step towards this endeavor are the well-known UNR 155 and 156.

Short news

  • Focusing on safety, Tesla needs to recall nearly 363 000 cars due to a flaw in the self-driving software according to the US NHTSA. This also opens the floor for discussion about the word “recall” that is being used, since the fix will be distributed as over-the-air update. Elon Musk has a strong opinion on this one.
  • Remote driving in the UK should be only legal with the operator being in the UK according to a report from the Law Commission.
  • Porsche South Africa is victim of ransomware attack.