The German automaker’s source code for smart car components was leaked online, giving software developers and hackers access to the company’s most lucrative intellectual assets. Mercedes-Benz’s source code for smart car components was accessed by a Swiss software engineer, Till Kottmann, who published the Daimler AG’s repository for the public to access. Kottmann accessed the unsecured source code repository by registering an account on the Daimler code hosting portal that did not require account confirmation. The Git web portal allowed the Swiss engineer to register an account with a fake Daimler corporate email without checking its authenticity. The exposed Daimler GitLab server gave the developer access to over 580 repositories hosted by the German automaker. GitLab allows companies to centralize the software development process carried out by different individuals and teams. The source code leak contained the logic of the critical components of Mercedes-Benz vans with no licensing information. Kottmann said he found the unsecured Git web portal through a simple Google dorks search. The software engineer has refused to pull down the published source code.
Smart car components exposed in the source code leak
The Mercedes Benz smart car source code leak exposed the most critical components of the smart car. The source code leak contained the code of onboard logic units (OLUs) for Mercedes Benz vans. The OLU sits between the smart car’s hardware and software, providing access to the control features of the van. The components allow tracking of vehicles on the road, checking the internal status of the vehicle, as well as freezing the vehicle in case of theft. Additionally, it connects the smart car to the cloud. The OLU simplifies technical access and the management of live vehicle data. The component also gives third-party developers the ability to develop apps for the smart car automaker. Exposing such a critical component provides software developers and hackers with unrestricted access to the smart car.
Other components contained in the source code leak included Raspberry Pi images, internal Daimler components for managing remote OLUs, server images, code samples, internal documentation, and other advanced features. A cybersecurity firm, Under the Breach, said it also found passwords and API tokens for the luxury brand’s internal smart car components. These credentials give developers access to the automaker’s cloud platform.
Such a security oversight could be exploited by cybercriminals to conduct a largescale attack on Daimler’s vehicles by harnessing its cloud infrastructure. The source code leak could also allow them to discover vulnerabilities in the affected cars, which the company is unaware of. Such faults could be exploited in future attacks, putting lives on the road at risk.
Kottmann said he performs regular searches with Google dorks to discover instances of GitLab run by various companies. The software developer said many companies do not implement more robust security features on their code versioning systems. He said he was lucky as he expected to find small contractors but not popular brands like Daimler.
Chris DeRamus, VP of Technology, Cloud Security Practice at Rapid7 says misconfigured security settings are responsible for most major data leaks.
“Misconfigured security settings is the top culprit behind many major data leaks and breaches. In fact, the number of records exposed by cloud misconfigurations. In this GitLab instance, bad actors could register an account on Daimler’s code-hosting portal and download over 580 Git repositories containing the Mercedes source code and sell that information to the company’s competitors. Additionally, hackers could leverage the exposed passwords and API tokens of Daimler’s systems to access and steal even more of the company’s sensitive information.”
He adds that companies should be vigilant about security issues to prevent themselves from becoming victims of unauthorized data access. He noted that having better security measures increases productivity of developers who will be releaved of the effort to respond to security issues.
DeRamus says companies should not rely on runtime security but should incorporate security measures during the integration stage. This would help them address security issues before they occurred.
“Daimler’s exposure of their Git repositories highlights how developers and security teams must work towards proactively identifying compliance and security issues before cloud resources are deployed. Instead of primarily relying on runtime security, organizations should “shift left” by taking preventative measures early on in their continuous integration and continuous delivery (CI/CD) pipelines. Such a proactive approach will allow organizations to prevent security issues from occurring and will enable security teams to catch misconfigurations before leaks occur.”
Response from Daimler
While there was no official response from Daimler, the company did closed the security loophole to prevent further intrusion into its source code hosting portal. However, the software engineer who discovered the breach maintains the source code published online for others to download at will. Kottmann said he would not pull down the leaked source code unless contacted by the automaker. Although the legality of his actions remains in question, there are no indications that the car manufacturer will take additional legal steps. The company is probably embarrassed by the source code leak, and would likely prefer to let the storm pass instead of attracting more negative attention to itself.