Skip to content ↓ | Skip to navigation ↓

Automotive giant Honda has shut down an exposed database that contained sensitive information about the security — specifically the weak points — of its internal network.

Security researcher Justin Paine discovered the sensitive information after scouring the internet with Shodan, a specialist search engine which can be used to find exposed internet-enabled devices such as webcams, routers and IP phones.

What Paine found was an ElasticSearch database that was accessible without any authentication.

The data contained within this database was related to the internal network and computers of Honda Motor Company. The information available in the database appeared to be something like a inventory of all Honda internal machines. This included information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda’s endpoint security software.

As Paine explains, what makes such information “particularly dangerous in the hands of an attacker is that it shows you exactly where the soft spots are.”

Reading the data, the researcher was able to identify which endpoint security vendor was used to protect Honda’s computers, which had security software installed and enabled as well as which were up-to-date (and thus, which were not).

Furthermore, Paine claims that it was “extremely simple” to locate specific employees including high value employees such as the CEO, CFO or CSO and launch highly targeted attacks.

Paine also pointed out that being able to identify which computers were less likely to identify or block attacks could “very easily be the open door into the entire network.”

Thankfully, Paine acted responsibly. He contacted Honda’s security team, who responded rapidly by locking down access to the database. Honda issued a statement thanking the researcher for his assistance and issuing a reassurance that it did not believe others had accessed the sensitive data:

Thank you very much for pointing out the vulnerability. The security issue you identified could have potentially allowed outside parties to access some of Honda’s cloud-based data that consisted of information related to our employees and their computers.

We investigated the system’s access logs and found no signs of data download by any third parties. At this moment, there is no evidence that data was leaked, excluding the screenshots taken by you. We will take appropriate actions in accordance with relevant laws and regulations, and will continue to work on proactive security measures to prevent similar incidents in the future.

Paine praised Honda’s “very prompt action” in securing the database shortly after being notified.

In an ideal world, your company wouldn’t have unpatched security holes on any of its systems.

But we don’t live in an ideal world, and any organisation of a decent size is likely to have at least some software that has not yet been patched against known flaws.

In such situations, it makes sense for an IT team looking after the security of possibly hundreds of thousands of employees to have some sort of visibility as to whose PC may be unpatched, whose anti-virus software may be out-of-date and who is using a vulnerable device.

But if you do collect that type of information about the systems attached to your company’s network, it would be a very bad idea indeed to let such sensitive information fall into the wrong hands.

After all, a malicious attacker could use new-found knowledge about what systems have been left unpatched to launch a targeted attack, all the while knowing that they have an increased likelihood of success.

It’s easy to read about the situation Honda found itself in and feel smug, but the sensible way to respond is not with mockery but instead to ask yourself if the same could happen at your company.

And if it could, would your organisation be able to close the security hole down as quickly as Honda did?


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.