Security researchers have discovered sensitive documents from over 100 manufacturing companies including GM, Ford, Toyota, Tesla, Fiat Chrysler, TyssenKrupp and Volkswagen among others were exposed online via an unprotected server. The publicly accessible server belonged to Level One Robotics, an Ontario-based firm that provides industrial automation services for OEMs, Tier 1 automotive suppliers and end users.
The Upguard Cyber Risk team discovered the exposed repository on July 1 that contained 157GB worth of corporate documents including detailed blueprints and factory schematics, robotic configurations and documentation, non-disclosure agreements, employee data and more.
The data was exposed via rsync, a common file transfer protocol used to backup large datasets. However, the rsync server was not restricted, meaning any rsync client that connected to the rsync port could potentially download the massive trove of data.
Upguard notified Level One of their findings and the exposure was closed by July 10.
“Level One takes these allegations very seriously and is diligently working to conduct a full investigation of the nature, extent, and ramifications of this alleged data exposure,” Level One President and CEO Milan Gasko told the New York Times. “In order to preserve the integrity of this investigation, we will not be providing comment at this time.”
The leak exposed a massive trove of customer, employee and Level One data including assembly line and factory schematics, robotic configurations, specifications and use of the machines along with animations of the robots at work, researchers said.
Researchers said the full text of dozens of non-disclosure agreements that outlined client expectations of privacy and the confidential nature of the data being handled were also exposed.
“That was a big red flag,” Upguard's Chris Vickery told NYT. “If you see NDAs, you know right away that you’ve found something that’s not supposed to be publicly available.”
In addition to corporate documents, the exposed data set also included personal data of some Level One employees including names, ID numbers, driver's license and passport scans and ID photos. Level One business data including invoices, contracts, price negotiations, insurance policies for Level One contractors, customer agreements and banking information for the company such as account, routing numbers and SWIFT codes were leaked as well.
"Automotive manufacturers—and manufacturers in general— usually want to keep the details of how they make their products confidential," researchers said in a blog post. "Malicious actors could potentially sabotage or otherwise undermine operations using the information present in these files; competitors could use them to gain an unfair advantage.
"The presence of so many strongly worded NDAs within the data set itself speaks to the level of confidentiality expected by these partners when handling this kind of information. Perhaps more troubling however, are the files dealing with gaining access, both digital and physical, to many client companies."
Although no passwords were discovered in the exposed data set, researchers noted that the combination of the valuable leaked information "could make socially engineering access into one of these relatively guarded facilities a much easier task."
"The sheer amount of sensitive data and the number of affected businesses illustrate how third and fourth-party supply chain cyber risk can affect even the largest companies," researchers said.
"The automation and digitization of manufacturing has transformed the industry, but it has also created a new area of concern for industries, and one that must be taken seriously for organizations to thrive in a healthy digital ecosystem."