The UpGuard Cyber Risk team disclosed that sensitive documents for over a hundred manufacturing companies were exposed on a publicly accessible server belonging to Level One Robotics. Among the companies with data exposed in the incident are divisions of VW, Chrysler, Ford, Toyota, GM, Tesla and ThyssenKrupp.
The 157 gigabytes of exposed data include over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and ironically, non-disclosure agreements, detailing the sensitivity of the exposed information. Not all types of information were discovered for all customers, but each customer contained some data of these kinds. Also included are personal details of some Level One employees, including scans of driver’s licenses and passports, and Level One business data, including invoices, contracts, and bank account details.
The data was exposed via rsync, a common file transfer protocol used to mirror or backup large data sets. The rsync server was not restricted by IP or user, and the data set was downloadable to any rsync client that connected to the rsync port. The sheer amount of sensitive data and the number of affected businesses illustrate how third-party and fourth-party supply chain risk can affect even the largest companies. The automation and digitization of manufacturing has transformed the industry, but it has also created a new area of concern for industries, and one that must be taken seriously for organizations to thrive in a healthy digital ecosystem.
On July 1st, 2018 the UpGuard Cyber Risk team discovered the exposed rsync server and began analysis. After ownership was determined, attempts to contact Level One were begun on July 5th. After successful contact with Level One on July 9th, the exposure was promptly closed by July 10th. Level One took the exposure very seriously and made every effort to shut it down immediately upon notification.
Rsync is a widely used utility for large data transfers, especially backups or keeping files in sync in multiple locations. However, like most tools of its kind, it can be used insecurely if the proper steps are not taken to restrict the rsync service. Rsync instances should be restricted by IP address so that only designated clients can even connect, and user access should be set up so that clients must authenticate before receiving the dataset. Without these measures, rsync is publically accessible.
Level One Robotics has some big customers, including major automobile manufacturers like GM, Ford, Tesla, and more. The exposed data includes information on over a hundred different companies who interface with Level One. Customer contact details, including names and titles of client employees were also present, illustrating the network of connections in the robotics automation pipeline. The documents by which Level One contractors request ID badges and VPN credentials to some of these clients are also exposed in the rsync discovery, a significant point for social engineering. Finally, the full text of dozens of non-disclosure agreements is present, outlining client expectations of privacy and the confidential nature of the data being handled.
The exposed data set also contained personally identifiable information for some of Level One’s own employees, including scans of passports, driver’s licenses and other identification. Additionally, the ingredients to procure access badges for Level One employees, such as their name, ID number, and photograph are present.
Corporate data exposed on the rsync server includes sales information like invoices, prices, and scopes of work. Insurance policies for Level One contractors are included. Other files contain notes on customers, projects, and the common business documents one would expect on an enterprise file server. Also included is banking information for Level One, including account and routing numbers, and SWIFT codes. A SWIFT code is an international bank code that identifies particular banks worldwide.
Automotive manufacturers—and manufacturers in general— usually want to keep the details of how they make their products confidential. Factory layouts, automation efforts, and robot specifications ultimately determine the output potential for the company. Malicious actors could potentially sabotage or otherwise undermine operations using the information present in these files; competitors could use them to gain an unfair advantage. The presence of so many strongly worded NDAs within the data set itself speaks to the level of confidentiality expected by these partners when handling this kind of information.
Perhaps more troubling however, are the files dealing with gaining access, both digital and physical, to many client companies. While no plaintext passwords were discovered in the data set, the combination of the official identification and VPN credential request forms, the contact point for many of Level One’s customers, and the personal information and photographs of Level One employees could make socially engineering access into one of these relatively guarded facilities a much easier task.
But those are just the corporate consequences. The personal information of several Level One employees was also exposed, including scans of passports and driver’s licenses. These kinds of documents should never be publicly exposed, opening the subjects up to identity theft and other fraud.
Finally, the permissions set on the rsync server at the time of the discovery indicated that the server was publicly writable, meaning that someone could potentially have altered the documents there, for example replacing bank account numbers in direct deposit instructions, or embedding malware. As we've discussed in the past, this is a significant risk.