Researcher Successfully Hacked Toyota’s Global Network

A Florida-based cybersecurity researcher had a slow week in late October 2022 and decided to inspect the systems of various major companies for exploits. In a week, he detected four different security issues at Toyota, all of which he deemed critical.

Eaton Zveare, Director of Technology at Grape Intentions, an online wine store, has a personal website where he writes about various cybersecurity projects he pursues in his free time.

Last October, Zveare decided to “explore the subdomains of various major companies to see if I could find any exploits worth reporting/writing about.”

When he found several interesting Toyota websites, it took the researcher a mere week to detect and report four different “critical” security issues to the Japanese car manufacturer. “One of the reports had a remarkably severe impact and is one of the most severe vulnerabilities I have ever found,” Zveare wrote in his blog.

What he meant was that he had hacked Toyota’s Global Supplier Preparation Information Management System – a web app used by the company’s employees and their suppliers to coordinate projects, purchases, and other tasks related to the global Toyota supply chain.

toyota-screen
A web app of Toyota’s Global Supplier Preparation Information Management System. Courtesy of eaton-works.com.

The hack was quite easy to execute. Zveare says he discovered a backdoor login mechanism in the website, and this allowed him to log in as any corporate Toyota user or supplier just by knowing their email. What happened next was entirely unsurprising.

“I eventually uncovered a system administrator email and was able to log in to their account. Once that was done, I had full control over the entire global system. I had full access to internal Toyota projects, documents, and user accounts, including user accounts of Toyota’s external partners/suppliers,” the researcher said.

These external accounts included users from companies such as Michelin, Continental, Stanley Black & Decker, Timken, and others.

The issue was reported to Toyota on November 3, who responded later that same day, confirming they received the report. Twenty days later, the firm announced the issue was fixed.

However, Zveare thinks that if a threat actor had discovered the problem, “the consequences could have been severe.” For an obvious instance, they could have downloaded and leaked all the data, deleted it, or modified it to disrupt global Toyota operations.

Finally, a threat actor could have crafted a highly targeted phishing campaign to attempt to capture corporate login details. This would probably have exposed other Toyota systems to attack.

“It’s one thing to have 14k+ corporate emails, but it’s another to have 14k+ corporate emails and know exactly what they are working on/have worked on. If a supplier user has a habit of reusing passwords, it’s possible their own infrastructure could be attacked too,” the researcher said.

As Cybernews recently reported, security researchers discovered severe vulnerabilities in Ferrari, BMW, Toyota, Ford, and other automotive companies.

According to the researchers, Toyota Financial’s Insecure direct object references (IDOR) – a vulnerability that arises from broken access control in web applications – discloses the name, phone number, email address, and loan status of any Toyota financial customers.

Leave a Comment

Your email address will not be published. Required fields are marked *