White hat hackers crack Toyota’s supplier portal
Companies hire “white hat” hackers to help identify network weaknesses all the time, often offering bonuses for any vulnerabilities they find and report. Automakers are no exception, and with the rapid proliferation of connected vehicles with round-the-clock internet access, security risks are growing just as fast. Toyota recently learned of an issue with its vendor portal through which white hat hackers were able to access email accounts, documents, and other confidential information.
auto news reported that Eaton Zveare, a hobby hacker (and beekeeper) from Florida, found the vulnerability and reported it to Toyota last November. The automaker quickly closed the vulnerability and thanked Zveare but did not pay the bounty, which he said could encourage less reputable hackers to sell secrets to the black market instead of reporting them. It’s worth noting that Toyota has a program in place for researchers to report vulnerabilities, but it’s unclear if Zveare uses it.
Zveare discovered a weakness in the Toyota supplier portal by generating a web token using a Toyota email address. The system authenticated him without a password, opening the door to all kinds of confidential corporate information. All he had to do was search the Internet for a valid Toyota email address. Once in, he repeats the access process to take over the email account with system administrator privileges.
Zveare has read-write access to 14,000 Toyota email addresses, and it’s not hard to see how a malicious actor could cause serious problems for Toyota. The good news, at least for the customer, is that Zveare’s exploit doesn’t give him access to their personal information.
In September last year, another white-hat hacker notified the automaker of a vulnerability with telecommunications services contained in SiriusXM’s radio functions. Toyota has been slow to adopt technology features like Apple CarPlay and Android Auto, citing customer and data privacy reasons, so it’s surprising to see these issues now.
That said, this cheat quite benign for everyday vehicle owners, unlike others in recent history. Sam Curry, the man behind last year’s Toyota report, problem found with hyundai, Acura, Landrover and others allow hackers to access vehicle functions through SiriusXM, and several automakers have found vulnerabilities in their increasingly powerful mobile applications. The good news is that they tend to fix problems quickly, but someone has to find and report them first.