White hat hacker cracked Toyota's supplier portal
Companies hire “white hat” hackers to help identify network weaknesses all the time, generally offering a bounty for any vulnerabilities they find and report. Automakers are no exception, and with the proliferation of connected vehicles with round-the-clock internet access, the security risks have grown just as fast. Toyota recently learned of an issue with its supplier portal, through which a white hat hacker could access email accounts, documents and other confidential information.
Automotive News reported that Eaton Zveare, a hobbyist hacker (and beekeeper) from Florida, found the vulnerability and reported it to Toyota last November. The automaker quickly closed the breach and thanked Zveare but stopped short of paying a bounty, which he said could encourage less upstanding hackers to sell secrets to the black market instead of reporting them. It’s worth noting that Toyota has an existing program for researchers to report vulnerabilities, but it’s unclear if Zveare used it.
Zveare discovered the weakness in Toyota’s supplier portal by generating a web token using a Toyota email address. The system authenticated him without a password, opening the door to all sorts of secret corporate information. All he had to do was search the internet for a valid Toyota email address. Once in, he repeated the access process to take over an email account with system administrator permissions.
Zveare had read-write access to 14,000 Toyota email addresses, and it’s not hard to see how a malicious actor could cause significant issues for Toyota. The good news, at least for customers, is that Zveare’s exploits did not give him access to their personal information.
In September last year, another white hat hacker notified the automaker of a vulnerability with the telematics services included in SiriusXM radio functions. Toyota was slow to adopt tech features like Apple CarPlay and Android Auto, citing customer and data privacy, so it’s surprising to see these issues now.
That said, this hack is pretty benign for everyday vehicle owners, unlike others in recent history. Sam Curry, the person behind last year’s Toyota report, has found issues with Hyundai, Acura, Land Rover and others that allowed hackers to access vehicle functions through SiriusXM, and some automakers have found vulnerabilities in their increasingly robust mobile apps. The good news is that they tend to fix issues quickly, but someone has to find and report them first.
Related video: