Toyota source code exposed for five years, impacts 300,000 drivers

• According to Toyota, a source code related to its T-Connect service has been left publicly available on GitHub for almost five years.
• The discovery led to Toyota admitting that the personal data of almost 300,000 drivers has been at risk of compromise.
• The potentially compromised data includes email addresses and customer management numbers, but not names, phone numbers or credit card details.

Japanese auto giant Toyota Motor has a designated smartphone app–T-Connect–that connects a driver to their vehicles, for various features that include remote vehicle status checks, remote locking and unlocking of vehicle doors, and map-based information on where one’s vehicle is located in a parking lot, among others. In short, it carries a vast amount of data for each of its users.

Recently however, Toyota has discovered that its contractor had left source code relating to its T-Connect services publicly exposed via GitHub, for five long years. The incident came to Toyota’s attention on September 15, 2022 and the revelation meant that the personal data of almost 300,000 drivers were at risk of compromise.

“In December 2017, the T-Connect website development subcontractor mistakenly uploaded part of the source code to their GitHub account while it was set to be public, in violation of the handling rules,” the company said in a statement which had been translated by Tech Wire Asia. Simply put, between December 2017 to September 15, 2022, a third party was able to access part of the source code on GitHub. 

Toyota discovered that “the published source code contained an access key to the data server, and by using it, it was possible to access the email address and customer management number stored in the data server.” Since discovery, Toyota has locked the source code and affected customers have since been informed. What Toyota has not been able to confirm thus far is whether or not the data was actually accessed or downloaded at any point.

Besides, whether or not those data were at risk of any abuse, has yet tco be discovered. To be precise, Toyota T-Connect is the automaker’s official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle’s infotainment system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more.

Following the discovery of exposed source code, on September 17, 2022, the database’s keys were changed, purging all potential access from unauthorized third parties. “As a result of an investigation by security experts, although we cannot confirm access by a third party based on the access history of the data server where the customer’s email address and customer management number are stored, at the same time, we cannot completely deny it,” the statement by Toyota explains.

That said, all T-Connect users registered between July 2017 and September 2022 were advised to be vigilant against phishing scams and avoid opening email attachments from unknown senders claiming to be from Toyota. Experts reckon such secure development errors plague organizations today and often most, it is their customers that pay the price after attackers discover the error and compromise systems and data.

Barrier Network managing CISO Jordan Schroeder in an email statement reckons organizations must get better at source code control and management of secrets, like access keys, because there is a strong possibility this data has already been accessed by attackers and Toyota might never know for sure. 

“Addressing these weaknesses requires implementing secrets management so that access keys are pulled from secured secrets servers and not hard coded into software, by locking down the development environment to prevent public access, and by setting up automated code repository security and access reviews, which includes searching the internet for code snippets that would indicate source code leakage,” he added.

 

---

---

---