Honda Motor Company fixed a database related to the internal network and computers discovered on Shodan that had no authentication, a researcher said.
The information available in an ElasticSearch database appeared to be an inventory of all Honda internal machines, including information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda’s endpoint security software, said Researcher Justin Paine, the researcher who found the issue.
As of 2015, Honda was the eighth largest automobile manufacturer in the world. They have an approximate market cap of $46.8 billion. Honda has offices spread across the world, including Japan, United States, Great Britain, and Mexico to name a few.
The following is a statement by Honda:
“Thank you very much for pointing out the vulnerability. The security issue you identified could have potentially allowed outside parties to access some of Honda’s cloud-based data that consisted of information related to our employees and their computers. We investigated the system’s access logs and found no signs of data download by any third parties. At this moment, there is no evidence that data was leaked, excluding the screenshots taken by you. We will take appropriate actions in accordance with relevant laws and regulations, and will continue to work on proactive security measures to prevent similar incidents in the future.”
Based on the Shodan scan of the IP, it appears that the database was likely publicly accessible as of July 1, 2019. After reaching Honda on July 6, they promptly took action to secure the database, Paine said in a post.
The exposed ElasticSearch database contained approximately 134M documents which translated to roughly 40GB of data. Data in the database appeared to go as far back as March 13, 2019 or roughly 3.5 months of data, the researcher said.
“What makes this data particularly dangerous in the hands of an attacker is that it shows you exactly where the soft spots are. I am specifically not going to name the major endpoint security vendor that protects Honda’s machines, but the data makes it clear which vendor they use and which machines have the endpoint security software enabled and up to date. The data seems to show you which machines do not have endpoint security enabled, which machines are running older operating systems, and if you have a particular vulnerability you could quickly search for machines that have not been patched yet using this data,” Paine said.
“This data contained enough identifiable information to make it extremely simple to locate specific high value employees (such as the CEO, CFO, CSO, etc). In the hands of an attacker this leaked data could be used to silently monitor those executives to identify ways to launch very targeted attacks,” Paine said.