If you want to attack a major organization, you do not use the main entrance. You want to use the delivery gate. This old piece of wisdom has become a painful reality for Fiat, Tesla, General Motors, Volkswagen, ThyssenKrupp and others.
At the end of last week, news broke about roughly 160 GB worth of data from several car makers and other industrial corporations being stored on a publicly accessible system. Among the data were things like internal forms, factory floor layouts, invoices as well as configuration data. The system the data was stored on belongs to Level One Robotics and was apparently used for backups. However, instead of storing the data in a manner which provides isolation from the data of other customers, a security research firm states that the data was stored in a way that allowed access to data that people should not be privy to. All that was required was a valid login for the system as well as a bit of basic knowledge.
Through the delivery gate
What makes this strategy particulartly risky is the fact that the data also contained trade secrets which are closely guarded by their originating companies. Even confidential documents such as a non-disclosure agreement from Tesla Motors were found. In a world in which many companies are relucatant to even talk about their customers, those revelations have an even bigger significance. Even if you just had the information from the directory listing of the affected system, you would have a piece of information that would be critical. IF an attacker knows that a company works with a particular supplier, they could mount a successful attack based on this. Social Engineering is only one of the possible deployable tactics.
Events such as this one should also serve as a reminder for organizations not only to take their own security serious, but also to take a close look at the security of organizations they work with. In order for this to work, trust must be established. Without trust, it is almost impossible to establish a business relation, especially nowadays.