An ethical hacker found a backdoor in a Web app used by Toyota employees and suppliers for coordinating tasks related to the automaker’s global supply chain, gaining control of the global system merely by knowing the email address of one of its users.
Security researcher Eaton Zveare revealed this week that in October, he found the backdoor login mechanism in the Toyota Global Supplier Preparation Information Management System (GSPIMS) Web portal, a site used by Toyota employees and their suppliers to coordinate various business activities. The backdoor allowed him to log in as any corporate user or supplier.
From there he found a system administrator email and logged in to their account, thus gaining “full control over the entire global system,” he explained in a blog post about the hack.
Once acting as an administrator, Zveare said he had “full access” to internal Toyota projects, documents, and user accounts, including some of those that belonged to Toyota external partners and suppliers such as Michelin, Continental, Stanley Black & Decker, and Harman.
All in all, the researcher gained read/write access to Toyota’s global user directory of more than 14,000 users. Zveare also could access corporate user account details, confidential documents, projects, supplier rankings/comments, and other sensitive data related to those users, he said.
Significant Supply Chain Threat
The hack demonstrates once again how a simple, overlooked flaw in an enterprise system can inadvertently give an attacker access to sensitive data and corporate accounts of a company’s supply chain. This, in turn, paves the way for malicious activity that affects not only that organization but its entire ecosystem of partners, security experts noted.
Indeed, had a threat actor discovered the issue before him, “the consequences could have been severe,” Zveare observed.
The issue could have allowed attackers to create their own user account with an elevated role to retain access should the issue ever be discovered and fixed, or download and leak all the data to which they had access, he said.
They also could have deleted or modified data in a way to be disruptive to global Toyota operations, or crafted a highly targeted phishing campaign to attempt to capture “real corporate login details, which could have exposed other Toyota systems to attacks,” Zveare wrote.
The researcher reported the issue to Toyota on Nov. 3 and the company reported back 20 days later that it had been fixed — a speedy response with which Zveare was “impressed,” he said.
“Out of all the security issues I have reported so far to various vendors, Toyota’s response was the fastest and most effective,” he said.
Zveare revealed his research nearly a year after Toyota suffered a major supplychain breach that subsequently forced it to halt production of all 28 lines of its 14 plants in Japan. On Feb. 22, the company reported a cyberattack causing a “system failure” at supplier Kojima Industries that created problems with its just-in-time production control system.
Fortunately for Toyota, the latest breach was an ethical one and, thanks to Zveare’s responsible disclosure, the company could fix it before there was any impact on the company or its partners’ business, notes one security professional.
“Not all ‘breachers’ are as responsible as in this case!” observes Henning Horst, CTO of data security specialists at Comforte AG.
How It Was Done
Zveare’s journey to finding the backdoor wasn’t completely straightforward, he acknowledged in his post. Initially he wasn’t even sure if the portal — which he said is an Angular single-page application created by SHI International Corp-USA on behalf of Toyota — was a very important entity for the company.
However, the GSPIMS API appeared to be secure, which inspired Zveare to further dig into the application code to see what else might be cooking. What he eventually found was that JSON Web Tokens — or session tokens representing the users’ valid authenticated sessions on the website — were being generated based on a user’s email without requiring a password.
Zveare Googled for Toyota supply chain users and made an educated guess to formulate the email of someone who he thought would be a user of the GSPIMS portal. “Then I fired off the createJWT HTTP request, and it returned a valid JWT!” he wrote.
His discovery gave him the ability to generate a valid JWT for any Toyota employee or supplier registered in GSPIMS, “completely bypassing the various corporate login flows, which probably also enforce two-factor authentication options,” Zveare wrote.
Though the user whose email he accessed the system with did not have system administrator privileges, he eventually searched within the GSPIMS to find the email of someone who did, and using that he gained full control of the system as an administrator.
A Big-Picture Security Approach
Enterprises have work to do to in order to block the issue Zveare found, security experts say. For starters, security administrators must take a more holistic approach to security and realize the wider impact their overall security posture — or lack thereof — can have on all of the partners and customers with whom they do business.
“What are perceived as ‘internal systems’ to organizations, no longer are,” Dror Liwer, co-founder of cybersecurity firm Coro said in an email statement to Dark Reading. “With partners, suppliers, and employees collaborating via the Internet — all systems should be considered external, and as such, protected against malicious intrusion.”
Developing this big-picture perspective and security strategy is not so simple, as most enterprises already have their hands full managing their own company’s risk, notes Lorri Janssen-Anessi, director of external cyber assessments for BlueVoyant.
However, considering how easy it was for Zveare to gain access to a system that serves Toyota’s global supply chain, companies need to get their heads around this risk to maintain security across any third party that touches their network, she says.
“What today’s organizations should take from the reported vulnerability in Toyota’s supplier management network is a firm reminder to look at their own vendor and supplier cybersecurity,” Janssen-Anessi says.
Among the key measures to consider include shoring up access control and user account privileges, ensuring that they only provide employees and third-parties with access to the data needed for their particular role, she notes. “This helps to control what data can be accessed in the event of a breach,” Janssen-Anessi says.
Indeed, a more data-centric approach overall to security could help enterprises avoid or mitigate a scenario that Zveare demonstrated, Comforte AG’s Horst observes. He advises that organizations find ways to protect data as soon as it enters their corporate data ecosystem, thus protecting “the data itself rather than perimeters and borders around the data.”