Toyota, the Japanese automaker, revealed This one accidentally exposed a credential that allowed access to customer data in a public GitHub repository for almost 5 years.
The code has been made public from December 2017 to September 2022. Although Toyota claims to have invalidated the key, exposure for that long could mean multiple cybercriminals may have gained access.
Exposing data in public Git repositories is a worrying issue. Code destined for tightly controlled private repositories is often pushed to public repositories owned by employees or contractors, outside the security control of their GitHub organizations.
What happened
In 2014, Toyota introduced its customers to a new telematics service called T-Connect, which offers interactive voice response and allows drivers to connect to third-party apps. Toyota advertises it as its “connected services that provide safe, comfortable and convenient services through vehicular communication”.
T-Connect enables features such as remote start, in-car Wi-Fi, digital key access, full control of metrics provided by the dashboard, plus a hotline to the My Toyota service app. The servers that control these options contain unique customer identification numbers and emails.
In December 2017, while working with an unnamed subcontractor, a portion of the T-Connect source code was uploaded to a public GitHub repository. Inside the repository was an encrypted access key for the data server that manages customer information. Anyone who found this credential could access the server, gaining access to 296,019 clients.
It wasn’t until September 15, 2022 that someone realized that this repository was public and that customer data was potentially exposed. Toyota has since made the repository private and invalidated and replaced the affected connection credentials.