White hat hacker cracked Toyota's supplier portal

InsuNews February 8, 2023
White hat hacker cracked Toyota's supplier portal

Companies hire “white hat” hackers to help identify network weaknesses all the time, generally offering a bounty for any vulnerabilities they find and report. Automakers are no exception, and with the proliferation of connected vehicles with round-the-clock internet access, the security risks have grown just as fast. Toyota recently learned of an issue with its supplier portal, through which a white hat hacker could access email accounts, documents and other confidential information.

Automotive News reported that Eaton Zveare, a hobbyist hacker (and beekeeper) from Florida, found the vulnerability and reported it to Toyota last November. The automaker quickly closed the breach and thanked Zveare but stopped short of paying a bounty, which he said could encourage less upstanding hackers to sell secrets to the black market instead of reporting them. It’s worth noting that Toyota has an existing program for researchers to report vulnerabilities, but it’s unclear if Zveare used it.

Zveare discovered the weakness in Toyota’s supplier portal by generating a web token using a Toyota email address. The system authenticated him without a password, opening the door to all sorts of secret corporate information. All he had to do was search the internet for a valid Toyota email address. Once in, he repeated the access process to take over an email account with system administrator permissions.

Zveare had read-write access to 14,000 Toyota email addresses, and it’s not hard to see how a malicious actor could cause significant issues for Toyota. The good news, at least for customers, is that Zveare’s exploits did not give him access to their personal information.

See also  Volvo recalls handful of vehicles for risk of false alarm

In September last year, another white hat hacker notified the automaker of a vulnerability with the telematics services included in SiriusXM radio functions. Toyota was slow to adopt tech features like Apple CarPlay and Android Auto, citing customer and data privacy, so it’s surprising to see these issues now.

That said, this hack is pretty benign for everyday vehicle owners, unlike others in recent history. Sam Curry, the person behind last year’s Toyota report, has found issues with Hyundai, Acura, Land Rover and others that allowed hackers to access vehicle functions through SiriusXM, and some automakers have found vulnerabilities in their increasingly robust mobile apps. The good news is that they tend to fix issues quickly, but someone has to find and report them first.

Related video:

Tags: , ,

More Stories

Celebrate Earth Day by saving up to 31% on Greenworks electric lawn tools

Celebrate Earth Day by saving up to 31% on Greenworks electric lawn tools

InsuNews April 18, 2024
Mercedes CLE 450 Cabriolet First Drive Review: Best luxury convertible for most drivers

Mercedes CLE 450 Cabriolet First Drive Review: Best luxury convertible for most drivers

InsuNews April 18, 2024
4 strategies for insurance companies when adopting AI

4 strategies for insurance companies when adopting AI

InsuNews April 18, 2024

You may have missed

Checking off boxes on a checklist

A Financial Planning Checklist, From Age 20 to 70 and Beyond

InsuNews April 18, 2024

Okay, I’ll keep my insurance, but is it legal to for me to choose NOT use it for a procedure?

InsuNews April 18, 2024
Celebrate Earth Day by saving up to 31% on Greenworks electric lawn tools

Celebrate Earth Day by saving up to 31% on Greenworks electric lawn tools

InsuNews April 18, 2024
Mercedes CLE 450 Cabriolet First Drive Review: Best luxury convertible for most drivers

Mercedes CLE 450 Cabriolet First Drive Review: Best luxury convertible for most drivers

InsuNews April 18, 2024
10 Amazing WordPress Design Resouces

10 Amazing WordPress Design Resouces

InsuNews April 18, 2024