Data from Over 100 Manufacturers Exposed Online

VW, Chrysler, Ford, Toyota, GM and Tesla among those with data stored on a publicly accessible server.

A screenshot of the “customers” folder in the Level One data set. (Image courtesy of UpGuard.)

A robotics firm has exposed 157 GB of sensitive data from over 100 manufacturers by storing it on a publicly accessible server.

Level One Robotics, an engineering service provider specializing in process automation and assembly, stored data from companies including VW, Chrysler, Ford, Toyota, GM, Tesla and ThyssenKrupp on an rsync server that was not restricted by IP or user. Rsync is a common file transfer protocol used to mirror or backup large data sets.

The vulnerable server was discovered by UpGuard, a cybersecurity company, which contacted Level One and advised the company of the issue. According to UpGuard, “Level One took the exposure very seriously and made every effort to shut it down immediately upon notification.”

The 10 years’ worth of exposed data included:

  • Assembly line schematics
  • Factory floor plans and layouts
  • Robotic configurations and documentation
  • ID badge request forms
  • VPN access request forms
  • Non-disclosure agreements
  • Personal details of Level One employees, including scans of driver’s licenses and passports
  • Level One business data, including invoices, contracts and bank account details

According to UpGuard, “Not all types of information were discovered for all customers, but each customer contained some data of these kinds.” Data on factory layouts and robotics products included CAD drawings and machine specifications.

A redacted screenshot of one of the many schematics contained in the Level One data set. (Image courtesy of UpGuard.)

A redacted screenshot of one of the many schematics contained in the Level One data set. (Image courtesy of UpGuard.)

As UpGuard noted, documents for requesting ID badges and VPN credentials are particularly useful for social engineering. Although the data did not include plaintext passwords, the combination of official forms and personal information could make it much easier to gain access to restricted facilities.

Perhaps most troubling of all, the permissions set on the rsync server indicated that it was publicly writable, meaning that a malicious actor could have potentially altered financial documents or embedded malware.

Given the extent of the exposure, it’s fortunate that the incident was dealt with quickly.

For more on cybersecurity, check out our feature on How to Use the Industrial Internet of Things (IIoT) in Your Factory.

Written by

Ian Wright

Ian is a senior editor at engineering.com, covering additive manufacturing and 3D printing, artificial intelligence, and advanced manufacturing. Ian holds bachelors and masters degrees in philosophy from McMaster University and spent six years pursuing a doctoral degree at York University before withdrawing in good standing.