Skip to main content
Sister Publication Links
  • Automotive News
  • Automotive News Europe
  • Automotive News China
  • Automobilwoche
Subscribe
  • Subscribe
  • login
  • HOME
  • News
    • News by Brand
    • Auto Shows
    • Photo Galleries
    • Automakers
    • Suppliers
    • Retail
    • Government Relations
    • Trade and Tariffs
    • Technology
    • Labour
    • bentaygahybrid-main.jpg
      view gallery
      6 photos
      2021 Bentley Bentayga Hybrid
      g80.jpg
      view gallery
      9 photos
      2021 NACTOY finalists
      zoox_3.jpg
      view gallery
      6 photos
      Zoox robotaxi
      armada_2.jpg
      view gallery
      8 photos
      2021 Nissan Armada
    • 1PLANT-MAIN_i.jpg
      How suppliers and automakers saved the industry amid a pandemic
      Automakers, suppliers tackle new crises together
      HONDA_20190508_FINAL.jpg
      Honda, Toyota most preferred by suppliers
      Lawsuit challenges Trump's authority on steel, auto tariffs
    • Wage subsidy kept sector afloat in 2020 with big players using government aid
      Magna: Vehicle assembly’s hired gun
      newalexa.jpg
      FCA first automaker to integrate new Amazon Alexa Custom Assistant
      Shift78Image_0.png
      PODCAST: Magna’s Sherif Marakby draws the blueprint for an electric future
    • MACHE-MAIN_i.jpg
      Ford delays some Mustang Mach-E deliveries up to 8 weeks in Canada, U.S.
      Ontario's stay-at-home order doesn't change much for province's auto industry
      BrightDrop.jpg
      GM launches commercial EV brand, with FedEx as first customer
      CES-MAIN_i.jpg
      All-digital format puts CES to the test
    • 6NAFTA-5.jpg
      Some Mexican automakers want more time to meet USMCA rules, official says
      Japan Prius prod 20 web.jpg
      Japan may ban sales of new ICE vehicles in mid-2030s, report says
      Ford Explorer 2016-MAIN_i.jpg
      Ford recalls 25,200 Explorers in Canada for suspension problem
      Biden? Trump? Either way, Canada faces big choices
    • Biden? Trump? Either way, Canada faces big choices
      TrumpReuters.jpg
      U.S. abruptly lifts tariffs on Canadian aluminum
      trump.png
      Aluminum tariff adds wrinkle just as USMCA gets going
      Trump reimposes Canadian aluminum import tariff to stem ‘flood’; Canada retaliates
    • Porsche, Apple Music partner on infotainment
      Vietnam-tied hackers said to target auto industry
      Vehicle screens go super-sized at CES as tech catches up
      All in a day's work
    • Wuhan honda prod web.jpg
      Automakers push to reopen plants with testing and lots of masks
      Ford, UAW reach tentative pact in U.S. with billions worth of investment
      GM Canada says it will find 2,400 jobs for Oshawa workers
      FCA to idle Ontario minivan plant for 8 days, union says
    • Aston Martin
    • BMW
      • Mini
      • Rolls Royce
    • Daimler
      • Mercedes Benz
      • Smart
    • Fiat Chrysler
      • Alfa Romeo
      • Chrysler
      • Dodge
      • Ferrari
      • Fiat
      • Jeep
      • Lancia
      • Maserati
      • Ram
    • Ford
      • Lincoln
    • General Motors
      • Buick
      • Cadillac
      • Chevrolet
      • GMC
    • Honda
      • Acura
    • Hyundai
      • Kia
    • Mazda
    • Mitsubishi
    • Nissan
      • Infiniti
    • Subaru
    • Tata
      • Jaguar
      • Land Rover
    • Tesla
    • Toyota
      • Lexus
    • Volkswagen
      • Audi
      • Bentley
      • Bugatti
      • Lamborghini
      • Porsche
    • Volvo
    • Toronto Auto Show
  • Opinion
    • Blogs
    • BrightDrop.jpg
      Big questions remain when it comes to GM's $1-billion CAMI plant
      Bosch_information_domain_computer web.jpg
      Bosch, Continental battle to supply the brain of the connected car
      Unifor exceeded its goals during Detroit 3 talks
      How and why GM brought truck assembly back to Oshawa
  • Canada Conversations
  • EVENTS & AWARDS
    • 2019 Canadians To Watch
    • 2019 Auto News Canada All Stars
    • Best Dealership To Work For
    • Canada Congress
    • Retail Forum: Dealer Discussions
    • Leading Women Roundtables
    • Dealerships reboot for millennials
      Communication is key to keeping dealership family together
      How giving back to their communities helps dealerships succeed
      Green dealerships good for business and for hiring
    • Embrace millennials and technology or be left behind, dealers warned
      walker.jpg
      Magna CEO says USMCA will mean 'more jobs, more investment' in Canada
      Top auto execs to address industry upheaval at 2020 Canada Congress
      VIDEO: Why Ford's Hinrichs is bullish on USMCA
  • Jobs & Classifieds
  • +MORE
    • NEWSLETTERS
    • SUBSCRIBE
    • CLASSIFIEDS
    • WEBINARS
    • ADVERTISE WITH US
    • CONTACT US
    • DIGITAL EDITION
MENU
Breadcrumb
  1. Home
  2. Canada
October 01, 2018 01:00 AM

All in a day's work

How a hacker found a massive customer data breach through a robotics supplier in Canada

Edward Niedermeyer
  • Tweet
  • Share
  • Share
  • Email
  • More
    Print

    It all started as a typical workday for Chris Vickery. The director of cyber risk research for UpGuard was performing a typical port scan, which is a computer process similar to knocking on doors to see who is home. It's a routine he does nearly every day in an attempt to see which computers are susceptible to break-ins from hackers.

    UpGuard's mission as a cybersecurity startup is to raise awareness of data leaks. Part of that effort included hiring Vickery, who has made news in the last few years for finding a lot of sensitive information available via the Internet. He has found account details for 13 million users of Apple's MacKeeper online, information on nearly every U.S. voter left accessible online by a Republican consultancy and evidence that a New York airport had left highly sensitive files unsecured online for nearly a year.

    On the morning of July 1, Vickery was scanning random Internet Protocol addresses through Port 873 when he noticed a pair of hard drives that were accepting connections from the public Internet.

    Port numbers are kind of like addresses for those house doors Vickery was knocking on. Most Internet traffic goes through Port 80 or Port 443, which are used for traffic to and from http and https addresses. Port 873 is set aside for an open-source remote file synchronization tool known as Rsync, which is typically used to back up files. Port 873 can be restricted to trusted computers and users by putting up a simple door.

    But what Vickery found that day was a pair of backup hard drives that were completely exposed to public Internet traffic. The door was wide open.

    Not unusual

    Security professionals lament that industries tend to underappreciate the risks they face until a major hack or breach jolts them awake. The auto industry's wake-up call for connected-vehicle cybersecurity came three years ago, when security researchers Chris Valasek and Charlie Miller publicized a vulnerability that allowed them to hack a Jeep Cherokee.

    Many security experts try to wake up industries by finding vulnerabilities and making the companies aware of the data breaches.

    Finding an open door like the one Vickery discovered that July morning is not particularly unusual. Vickery says his routine scans turn up unprotected data about once a week, and UpGuard's automated systems find thousands of smaller data breaches every day.

    But as soon as he downloaded the data, he could tell there might be sensitive information. One of the directories was named "Client Files."

    "That's always a juicy directory," he said.

    Even juicier: Inside that directory was a folder named "Tesla." That's when Vickery knew this was likely an important data breach.

    "I have the general impression that data related to Tesla is generally pretty heavily protected, and they seek to enforce that protection," Vickery said.

    Massive breach

    Vickery quickly Googled the name of the company the hard drives belonged to, Level One. Once he saw the Windsor, Ontario, company provided automation and robotics to the auto industry, he realized he had just found an extremely sensitive set of data. The files exposed the entire relationship between the robotics company and its secretive electric automaker client.

    "There were nondisclosure agreements, pictures of Tesla's manufacturing floor, computer-aided drafting schematics of their factories," he said. "It's not 100 per cent of the files needed to build a Tesla factory, but there was a surprising amount there. It struck me as generally something that a Tesla attorney would have a heart attack about if they knew it was available to the open Internet."

    The data wasn't just about Tesla. General Motors, Ford, Fiat Chrysler, Volkswagen and Toyota all had projects with Level One, and their sensitive data was revealed in the breach. Information that could have helped malicious hackers wreak further havoc was exposed, including bank account details, virtual private network access request forms and ID badge request forms, as well as personal details about Level One employees, such as scans of licenses and passports.

    All told, 157 gigabytes of sensitive data were exposed. For perspective, an hour of streaming video uses about 1 GB of data. So the data breach involved about six and a half days of nonstop TV show binging.

    Chris Vickery

    Because of the amount of data and the level of detail it described, Vickery was quickly able to determine that this was not a "false flag" intended to fool him or make Level One look bad. So he moved to the next step: sending the CEO of Level One, Milan Gasko, a standard email informing him of the breach that had been found.

    It took a few days to pull the email together. And then, nothing. No one responded.

    Vickery said it's not unusual for his initial outreach to go unheeded because companies often think he is a scammer preying on a company's worst fears.

    Several days later, still with no response, Vickery called Level One and spoke to a receptionist who told him that the CEO didn't regularly monitor the email address he had tried. She took a message and said she would bring the matter to his attention the next morning.

    Simple solution

    "I got a call back about 45 minutes later," Vickery said. As soon as he was on the phone with the company, it was clear that it took the situation seriously.

    Vickery described the situation and told Level One what kind of device he thought was being accessed, based on how many bits of metadata were exposed.

    The company found the storage devices while Vickery was on the line and fixed the problem in an instant with one simple move: It unplugged them.

    Sure enough, Vickery scanned the ports again, and they were gone. The breach had been secured, at least temporarily.

    Asked whether most breaches are closed that easily, Vickery laughed.

    "It's not usually the case that they are able to just unplug the device," he said. "Usually it takes a little bit more than that."

    Since there were no signs of criminal activity, or evidence that the exposed data had been seen by anyone besides Vickery, there wasn't much left to do but write UpGuard's official report.

    It's still not completely clear to Vickery how these storage devices were left open to public traffic, let alone publicly writable, and Level One isn't saying. The company declined to comment for this report.

    "Level One has been very humble and nice," he said, "but they have engaged outside counsel, and I am signing a declaration that I have purged all the information that I had."

    Easy mistakes

    Vickery says most data breaches are caused by straightforward mistakes, such as typos in the coding or plugging a database into the wrong port in a server room. Especially as manufacturing companies reinvent themselves for the hyperconnected, data-driven paradigm, he says, there will always be some risk of an inadvertent error leaving sensitive data exposed.

    In the manufacturing world, suppliers are often trying to compete with one another on price, and many companies see security as an additional expense, Vickery said. But the axiom "If it ain't broke, don't fix it" doesn't work in the connected world, he said.

    "Well, a lot of times, the fundamental security problem is that your eyes are shut, so you don't realize that something is broken," Vickery said. "You never know the bad guys are getting in."

    If a company can't afford to hire a company such as UpGuard, Vickery said there is an easy way to monitor database security.

    "Just send one of your IT people home early one afternoon with a list of your IP addresses, and have them try to connect to your systems from home without any privileged access," Vickery said. "If every company did that just once a month, I probably wouldn't have a job."

    RECOMMENDED FOR YOU
    Leading Women Roundtable: Addressing the gender gap and what women want
    Recommended for You
    Leading Women Roundtable: Addressing the gender gap and what women want
    Leading Women Roundtable: Addressing the gender gap and what women want
    Cox Canada joins BlackNorth Initiative in fight against systemic racism
    Cox Canada joins BlackNorth Initiative in fight against systemic racism
    Ford to offer Transit EV for 2022 model year
    Ford to offer Transit EV for 2022 model year
    Digital Edition
    View latest issue
    See our archive
    Sign up for free newsletters
    EMAIL ADDRESS

    Please enter a valid email address.

    Please enter your email address.

    Please verify captcha.

    Please select at least one newsletter to subscribe.

    You can unsubscribe at any time through links in these emails. For more information, see our Privacy Policy.

    Get Free Newsletters

    Sign up today for our Weekly Newsletter, Daily Newsletter and Breaking News Alerts. We'll deliver the news you need to know straight to your inbox.

    You can unsubscribe at any time through links in these emails. For more information, see our Privacy Policy.

    Subscribe Now

    An Automotive News Canada subscription includes 12 monthly issues – delivered in print to your doorstep, and digitally to your inbox – plus unlimited, 24/7 access to our website.

    Subscribe Now
    Connect With Us
    • Facebook
    • Twitter
    • Instagram

    Our Mission

    The Automotive News Canada mission is to be the primary source of industry news, data and understanding for the industry's decision-makers interested in Canada.

    Contact Us

    PO Box 243
    Station A
    Windsor, ON
    N9A 6K7

    1-877-812-1257

    Email Us

    ISSN 2475-5001 (print)
    ISSN 2475-501X (online)

    Resources
    • About us
    • Contact Us
    • Digital Edition Archive
    • Advertise with Us
    • Reprints
    • Ad Choices Ad Choices
    • Sitemap
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Automotive News Canada
    Copyright © 1996-2021. Crain Communications, Inc. All Rights Reserved.
    • HOME
    • News
      • News by Brand
        • Aston Martin
        • BMW
          • Mini
          • Rolls Royce
        • Daimler
          • Mercedes Benz
          • Smart
        • Fiat Chrysler
          • Alfa Romeo
          • Chrysler
          • Dodge
          • Ferrari
          • Fiat
          • Jeep
          • Lancia
          • Maserati
          • Ram
        • Ford
          • Lincoln
        • General Motors
          • Buick
          • Cadillac
          • Chevrolet
          • GMC
        • Honda
          • Acura
        • Hyundai
          • Kia
        • Mazda
        • Mitsubishi
        • Nissan
          • Infiniti
        • Subaru
        • Tata
          • Jaguar
          • Land Rover
        • Tesla
        • Toyota
          • Lexus
        • Volkswagen
          • Audi
          • Bentley
          • Bugatti
          • Lamborghini
          • Porsche
        • Volvo
      • Auto Shows
        • Toronto Auto Show
      • Photo Galleries
      • Automakers
      • Suppliers
      • Retail
      • Government Relations
      • Trade and Tariffs
      • Technology
      • Labour
    • Opinion
      • Blogs
    • Canada Conversations
    • EVENTS & AWARDS
      • 2019 Canadians To Watch
      • 2019 Auto News Canada All Stars
      • Best Dealership To Work For
      • Canada Congress
      • Retail Forum: Dealer Discussions
      • Leading Women Roundtables
    • Jobs & Classifieds
    • +MORE
      • NEWSLETTERS
      • SUBSCRIBE
      • CLASSIFIEDS
      • WEBINARS
      • ADVERTISE WITH US
      • CONTACT US
      • DIGITAL EDITION