Researcher identifies exploitable vulnerability in Toyota system.
N2K logoFeb 8, 2023

Backdoor allowed full access to Toyota’s internal management system.

Researcher identifies exploitable vulnerability in Toyota system.

A security researcher who goes by “EatonWorks” was able to breach Toyota's Global Supplier Preparation Information Management System (GSPIMS), which is used by the company to manage its global supply chain, BleepingComputer reports.

Only an email address required for authentication.

EatonWorks explains that “[a]ny user could be logged into just by knowing their email, completely bypassing the various corporate login flows,” and he was able to gain “full access to internal Toyota projects, documents, and user accounts, including user accounts of Toyota’s external partners/suppliers.”

The researchers found that the user service would generate a JSON Web Token (JWT) after simply entering an email address with no password. JWTs are session tokens used to validate authenticated users. He logged in by guessing a Toyota employee’s corporate email address, then used this access to discover employees with more access. EatonWorks eventually gained full control over more than 14,000 users, as well as access to thousands of confidential documents.

EatonWorks responsibly disclosed this issue to Toyota, and it was patched in November 2022. (He notes that he wasn’t offered a bug bounty for his efforts.)

Industry comments.

Lorri Janssen-Anessi, Director of External Cyber Assessments at BlueVoyant, offered the following observations :

"What today’s organizations should take from the reported vulnerability in Toyota’s supplier management network is a firm reminder to look at their own vendor and supplier cybersecurity — after all, Toyota wasn’t the first company to experience an incident like this and sadly won’t be the last either. Managing your own network is a challenge in and of itself, and adding on the complexity of additional third parties providing critical services brings yet another layer on top of that. Organizations must understand the risk of their entire third-party ecosystem, which includes suppliers, vendors, and other outside organizations with network access. Organizations must recognize the importance of validating their cybersecurity program and its implementation to ensure reduction of risk or vulnerabilities. This should be ongoing and continuous and not merely a yearly compliance check.

"Organizations also need to consider access control and user account privileges. With Toyota’s reported issue, anyone with a valid email was given access to everything in a portal. Instead, organizations should only provide employees and third-parties with access to the data needed for their role. This helps to control what data can be accessed in the event of a breach. 

"The best way for organizations to protect their data is with defense in depth. When different cybersecurity defenses are layered, it makes it more difficult for cyber attackers to access sensitive systems and data. By continuously monitoring both internal networks and third parties, having access control, plus good cyber hygiene, like multi-factor authentication, companies can make it more difficult for attackers to gain access."

Dror Liwer, co-founder of cybersecurity company Coro, noted:

“What is perceived as ‘internal systems’ to organizations, no longer is. With partners, suppliers, and employees collaborating via the internet – all systems should be considered external, and as such, protected against malicious intrusion. Being at the top of the food chain, this security lapse is a minor PR inconvenience. Had it been discovered in one of Toyota’s suppliers, rest assured the supplier could have lost Toyota as a customer. Organizations within the supply chain are seeing more scrutiny from their customers, requiring them to prove they are cyber secure, and in many cases, insisting they provide proof of cyber insurance. Beyond the reputational damage, a supply chain breach may lead to lawsuits, direct financial damage, and indirect financial hit as a result of lost business.”

Erich Kron, security awareness advocate at KnowBe4 commented:

“Issues with software, such as this vulnerability, are going to come up and the more complex the software, the more likely it is to happen. This is actually a case of things working out well, due to the efforts of a security researcher. The responsible reporting of the finding and the quick response and remediation of the issue without the exposure of sensitive information to bad actors, is an example of how responsible reporting is supposed to work.

"Regardless of the size of the organization, having a responsible reporting policy and an easy to find way to report findings should be standard for any internet facing portals or websites. Offering bug bounties to security researchers should also be considered.”

Jason Kent, Hacker in Residence at Cequence Security, stated:

"The funniest thing I ever heard about JSON Web Tokens (JWTs) is they are like 'walking into your kitchen in the dark, reaching into the knife drawer and just thrashing around until you find one.' It seems putting trust into JWTs might be a bit of a poor idea if the JWT isn't secure and working off of security principles. The attack here exploited the fact that JWTs are something that organizations need to be very careful with and test thoroughly. In my own testing of APIs at Toyota I found it easy to pull window stickers and iterate through cars as they were being built. Knowing what I do about their systems I can understand that their security team doesn't have the time to manually test every system like this, the challenge is that this type of testing is required for every system."