Toyota's bungling of customer privacy is becoming a pattern
Also: 3D printing gun mods = jail time; France fines Clearview AI for ignoring fine; this week's critical vulns, and more
in brief Japanese automaker Toyota has admitted yet again to mishandling customer data – this time saying it exposed information on more than two million Japanese customers for the past decade, thanks to a misconfigured cloud environment.
Toyota explained in a Japanese-language statement that it took measures to block external access to the insecure cloud system as soon as it noticed the issue – but the fact it took a decade to catch on isn't exactly reassuring.
"There was a lack of active detection mechanisms, and activities to detect the presence or absence of things that became public," a Toyota spokesperson told Reuters.
The exposed data belongs to almost the entire Japanese customer base that had signed up for Toyota's T-Connect driver assist product, and users of the G-Link service – a similar product for Toyota's luxury subsidiary Lexus.
According to the automaker, in-vehicle terminal IDs, chassis numbers, vehicle location information and timestamps were included in the exposed data, but Toyota said nothing in the dataset could be used to identify customers based on the data alone. Toyota also said it hasn't found any indication the data was accessed or copied by a third party since November 2013, when the cloud service was first exposed.
It would be easy to dismiss the incident as a rather serious accident, but Toyota's done this before: It admitted just last year to exposing data on nearly 300,000 T-Connect customers thanks to another security mishap.
In that instance, a subcontracted developer working on T-Connect uploaded source code to GitHub that contained an access key for a server that stored customer data. This occurred in 2017, and – in what's beginning to seem like a pattern – the company didn't notice it until September 2022. In that instance, Toyota wasn't even able to confirm whether any unsavory parties had accessed the data.
We've reached out to Toyota to learn more about this latest incident but haven't heard back.
Just because you can make gun parts with 3D printing doesn't mean you should
A Mississippi man has been sentenced to 14 years in prison after pleading guilty to 3D printing devices called "auto-sears," which are designed to turn semi-automatic weapons into automatic machine guns.
Kent Edward Newhouse was sentenced for being a felon in possession of a firearm and engaging in business as a firearms manufacturer for printing the $20 firearm accessories. The tiny clip-on component modifies firearms by preventing the hammer from falling and resetting the trigger – allowing an entire magazine to be emptied with a single pull.
Despite only being a modification piece, federal law classifies auto-sears as automatic firearms in and of themselves, allowing law enforcement officials to treat anyone in possession of one as if they were in possession of an illegal machine gun.
Newhouse was caught when he sold a confidential informant a firearm and several of his homemade auto-sears. He was previously convicted in 2009 on a felony sale of controlled substances charge.
Critical vulnerabilities: Watch for papercuts
This being a Patch Tuesday week, our list of critical vulnerabilities was already covered by The Register – but there are still a couple items to go over.
First off, there's CISA's reiteration of CVE-2023-27350, which we covered in a cyber security roundup last month. Despite a patch it's still around and it's still being exploited, said CISA. As mentioned before, the bug in the PaperCut MF and NG print management services could allow an unauthenticated attacker to execute remote malicious code. Since it's been severe enough to warn the public about twice, we figured we should remind our readers yet again to install applicable patches if your institution uses PaperCut.
CISA also released a few industrial control system vulnerabilities, only one of which was critical, earning a CVSS score of 9.8. The issue is in Hitachi Energy MSM equipment version 2.2.5 and earlier, which contain several vulnerabilities that could give an attacker user access credentials to the web interface and cause denial-of-service. Hitachi said that MSM is not supposed to be directly connected to the internet, and in lieu of patching it urges customers to disconnect their devices from internet-facing networks, implement user access management, and other best practices.
Intermittently encrypted? There's an open source tool for that
Identity management firm CyberArk has released an open source tool it said can – in certain circumstances – recover data encrypted by ransomware.
Dubbed White Phoenix, it's a simple Python script designed to extract data from ransomed files that are only intermittently encrypted, which CyberArk said is a burgeoning trend in the ransomware world – favored for its speed and tendency to make a ransom attack less noticeable, while still doing damage.
With just a path to an encrypted file and an output path, White Phoenix can recover text and images from encrypted files, with each chunk output in a separate file for post-process recovery. As of now, only PDF, Word, Excel, PowerPoint and Zip files are supported, but CyberArk said other formats – including video and audio files – may work. It encourages experimentation to improve the software.
Ransomware families supported by White Phoenix include BlackCat, Play, Qilin/Agenda, BianLian and Darkbit. Those who'd like to test it out can find it on GitHub.
France fines Clearview AI for not paying first fine
Clearview AI, the facial recognition platform that's run afoul of data collection laws on multiple occasions, has been hit with a €5.2 million ($5.6 million) fine by France's data protection agency, the CNIL, for not paying a much larger €20m fine levied against it last year.
The CNIL said Clearview AI violated the EU's General Data Protection Regulation by cataloging photos belonging to EU residents posted to social media and other online platforms. Whether Clearview would ever pay either fine is unclear. The company maintains it's not bound by the GDPR since it doesn't do business in the EU. However, the GDPR prohibits the processing of data belonging to EU citizens regardless of whether an organization does any business on the continent. ®