A publicly accessible ElasticSearch database exposed a huge trove of information on the global internal network of automotive giant Honda, showcasing potential security vulnerabilities that could be abused by potential attackers.
The misconfigured ElasticSearch database contained roughly 134 million documents with 40 GB worth of information on roughly 300,000 Honda employees around the globe.
“The information available in the database appeared to be something like an inventory of all Honda internal machines,” says Justin Paine, the researcher who found the unsecured ElasticSearch instance.
‘This included information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda’s endpoint security software.”
The exposed data
The unsecured ElasticSearch database exposed very specific data on hundreds of thousands of Honda’s employees such as names, emails, their last login, as well as on their computers’ endpoint security vendor network information, operating systems, OS versions, hostnames, and patch status.
Additionally, around 3,000 data points were stored in a table named “uncontrolledmachine” which, as Paine presumes, is a list of computers on Honda’s internal network which weren’t using an endpoint security software.
“If an attacker is looking for a way into Honda’s network knowing which machines are far less likely to identify/block their attacks would be critical information. These “uncontrolled machines” could very easily be the open door into the entire network,” adds Paine.
The database also contained data on computers used by higher value such as the company’s CFO, CSO, and CEO, which could allow attackers with enough knowledge to find and access the exposed information to use it in highly targeted attacks.
In the case of Honda’s CEO for instance, the open database showed his full name, account name, email, and last login date, together with his computer’s “MAC address, which Windows KB/patches had been applied, OS, OS version, endpoint security status, IP, and device type.”
Database exposed for six days
As he found after analyzing the database activity over a period of 30 days, the data was being updated every day, with approximately 40,000 new entries containing info on Honda employees from all over the world and their computers’ current network, security, and OS status.
Honda’s exposed database with about three months worth of info starting with March 13 was found by Paine on July 4 and, after a couple of days of trying to find a contact to responsibly disclose his findings, he managed to make contact on the morning of July 6.
The database was left out in the open for roughly six days seeing that the Shodan search which led to its discovery showed a discovery timestamp of July 1, 2019.
Honda secured the data 10 hours later and sent the researcher the following statement to thank him for reporting the vulnerable database:
“What makes this data particularly dangerous in the hands of an attacker is that it shows you exactly where the soft spots are,” concludes Paine.
“I am specifically not going to name the major endpoint security vendor that protects Honda’s machines, but the data makes it clear which vendor they use and which machines have the endpoint security software enabled and up to date.”