The UpGuard Cyber Risk team can now disclose that sensitive documents for over a hundred manufacturing companies were exposed on a publicly accessible server belonging to Level One Robotics, “an engineering service provider specialized in automation process and assembly for OEMs [original equipment manufacturers], Tier 1 automotive suppliers as well as our end users.” Among the companies with data exposed in the incident are divisions of VW, Chrysler, Ford, Toyota, GM, Tesla and ThyssenKrupp.
The 157 gigabytes of exposed data include over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and ironically, non-disclosure agreements, detailing the sensitivity of the exposed information. Not all types of information were discovered for all customers, but each customer contained some data of these kinds. Also included are personal details of some Level One employees, including scans of driver’s licenses and passports, and Level One business data, including invoices, contracts, and bank account details.
The data was exposed via rsync, a common file transfer protocol used to mirror or backup large data sets. The rsync server was not restricted by IP or user, and the data set was downloadable to any rsync client that connected to the rsync port. The sheer amount of sensitive data and the number of affected businesses illustrate how third-party and fourth-party supply chain risk can affect even the largest companies. The automation and digitization of manufacturing has transformed the industry, but it has also created a new area of concern for industries, and one that must be taken seriously for organizations to thrive in a healthy digital ecosystem.
On July 1st, 2018 the UpGuard Cyber Risk team discovered the exposed rsync server and began analysis. After ownership was determined, attempts to contact Level One were begun on July 5th. After successful contact with Level One on July 9th, the exposure was promptly closed by July 10th. Level One took the exposure very seriously and made every effort to shut it down immediately upon notification.
Rsync is a widely used utility for large data transfers, especially backups or keeping files in sync in multiple locations. However, like most tools of its kind, it can be used insecurely if the proper steps are not taken to restrict the rsync service. The details of rsync security can be found in our blog post here, but in summary: rsync instances should be restricted by IP address so that only designated clients can even connect, and user access should be set up so that clients must authenticate before receiving the dataset. Without these measures, rsync is publically accessible.
The exposed information can be broken down into roughly three categories.
- Customer data - Assembly line and factory schematics; non-disclosure agreements; robotic configurations, specifications, animations, and blueprints; ID badge and VPN access request forms; customer contact information
- Employee data - Driver’s license and passport scans, ID photos (likely for badges); employee names and ID numbers
- Level One data - Contracts, invoices, price negotiations and scopes of work, customer agreements
Level One Robotics has some big customers, including major automobile manufacturers like GM, Ford, Tesla, and more. The exposed data includes information on over a hundred different companies who interface with Level One.
A screenshot of the "customers" folder in the Level One data set.
Detailed CAD drawings of both factory layouts and robotics products are included among the data.
A redacted screenshot of one of the many schematics contained in the Level One data set.
In addition to the schematics are documents that detail the configurations, specifications and use of the machines, as well as animations of the robots at work.
Screenshot of one of the robotics animation files present in the exposed Level One data.
Customer contact details, including names and titles of client employees were also present, illustrating the network of connections in the robotics automation pipeline. The documents by which Level One contractors request ID badges and VPN credentials to some of these clients are also exposed in the rsync discovery, a significant point for social engineering.
A badge request form for Boeing, not listed among Level One’s customers, was also found among the data set.
Finally, the full text of dozens of non-disclosure agreements is present, outlining client expectations of privacy and the confidential nature of the data being handled.
A non-disclosure agreement form from Tesla, one of many included in the Level One data set.
The exposed data set also contained personally identifiable information (PII) for some of Level One’s own employees, including scans of passports, driver’s licenses and other identification.
Redacted screenshot of one of the driver's license scans present in the exposed Level One data.
Redacted screenshot of a passport scan contained in the Level One data set.
Additionally, the ingredients to procure access badges for Level One employees, such as their name, ID number, and photograph are present.
Level One Data
Corporate data exposed on the rsync server includes sales information like invoices, prices, and scopes of work. Insurance policies for Level One contractors are included. Other files contain notes on customers, projects, and the common business documents one would expect on an enterprise file server.
Redacted screenshot of a Level One banking document discovered in the data set.
Also included is banking information for Level One, including account and routing numbers, and SWIFT codes. A SWIFT code is an international bank code that identifies particular banks worldwide.
Automotive manufacturers—and manufacturers in general— usually want to keep the details of how they make their products confidential. Factory layouts, automation efforts, and robot specifications ultimately determine the output potential for the company. Malicious actors could potentially sabotage or otherwise undermine operations using the information present in these files; competitors could use them to gain an unfair advantage. The presence of so many strongly worded NDAs within the data set itself speaks to the level of confidentiality expected by these partners when handling this kind of information.
Perhaps more troubling however, are the files dealing with gaining access, both digital and physical, to many client companies. While no plaintext passwords were discovered in the data set, the combination of the official identification and VPN credential request forms, the contact point for many of Level One’s customers, and the personal information and photographs of Level One employees could make socially engineering access into one of these relatively guarded facilities a much easier task.
But those are just the corporate consequences. The personal information of several Level One employees was also exposed, including scans of passports and driver’s licenses. These kinds of documents should never be publicly exposed, opening the subjects up to identity theft and other fraud.
Finally, the permissions set on the rsync server at the time of the discovery indicated that the server was publicly writable, meaning that someone could potentially have altered the documents there, for example replacing bank account numbers in direct deposit instructions, or embedding malware. As we've discussed in the past, this is a significant risk.
The supply chain has become the weakest part of enterprise data privacy. Companies that spend many millions a year on cybersecurity can still be exposed by a vendor who handles their data. The complexity of the supply chain involves a sprawl of third and fourth-parties who handle corporate data sets. All of these vendors have their own processes and systems that determine how well the data is protected. Organizations and their vendors must have standardized deployment processes that create and maintain assets securely, reducing the likelihood of a data incident. If this security is not built into the processes themselves, there will always be misconfigurations that slip through and lead to data exposure. They must also have an exposure response plan, so that when they are affected, they can act quickly to remediate, as Level One did in this case. Level One Robotics works with clients and other vendors, as necessitated by the robotics manufacturing and sales process. While such an ecosystem can make for great efficiencies and scale, it also opens the entire chain up to risk when a single link faces an exposure.