A security researcher has revealed how he was able to access a GitLab server owned by Daimler AG and download the source code of onboard logic units (OLUs) installed in Mercedes vans.
Till Kottmann was able to discover a misconfiguration in the Git web portal of Daimler AG, the automotive company behind the Mercedes-Benz car brand. The misconfiguration allowed him to create an account on Daimler's code-hosting portal and download more than 580 Git repositories containing the source code of onboard logic units (OLUs) installed in Mercedes vans.
Onboard logic units or OLUs are the control unit of Mercedes vans, connecting them to the cloud and enabling third-party developers to create apps that retrieve data of the vehicle like the van's internal status or for freezing vans in case of theft.
Kottmann told ZDNet that he found Daimler's GitLab server using Google dorks which is a specialised version of Google search queries. "I often just hunt for interesting GitLab instances, mostly with just simple Google dorks, when I'm bored, and I keep being amazed by how little thought seems to go into the security settings. This was honestly just a very lucky find while I was going through some brand names I hadn't checked before in hopes of finding like some small contractors or something,” he said.
According to Kottmann, there wasn’t any account confirmation process in the company's official GitLab server, which allowed him to register an account using a non-existent Daimler corporate email. He was able to download 580 Git repositories from the company's server and made it publicly available by uploading the files in several locations such as file-hosting service MEGA, the Internet Archive, and on his own GitLab server.
ZDNet was able to review some of the leaked files and confirmed that none of them included an open-source license, indicating that the researcher had indeed been able to access proprietary information belonging to Daimler AG.
“The leaked projects included the source code of Mercedes vans OLU components, but also Raspberry Pi images, server images, internal Daimler components for managing remote OLUs, internal documentation, code samples, and more,” ZDNet confirmed.
Cyber crime investigators at Under the Breach confirmed that the breached data, which initially looked harmless, contained passwords and API tokens for Daimler's internal systems. If fallen in the wrong hands, this data could be used to plan future intrusions against Daimler's cloud and internal network.
Misconfigured security settings are the top culprits behind many data leaks and breaches
Daimler AG did not release an official statement in regards to the security breach but closed the GitLab server after being approached by Under the Breach and ZDNet.
Commenting on a White Hat researcher accessing source codes of Mercedes vans, Chris DeRamus, VP of Technology, Cloud Security Practice at Rapid7, told TEISS that “misconfigured security settings is the top culprit behind many major data leaks and breaches. In fact, the number of records exposed by cloud misconfigurations rose by 80% in 2019.
“In this GitLab instance, bad actors could register an account on Daimler's code-hosting portal and download over 580 Git repositories containing the Mercedes source code and sell that information to the company’s competitors. Additionally, hackers could leverage the exposed passwords and API tokens of Daimler’s systems to access and steal even more of the company’s sensitive information.
“Without a proactive approach to security, companies open themselves up to undue risk. Most organisations rely on detecting risks and misconfigurations in the cloud at runtime (after provisioning or creation) instead of preventing them during the build process, which increases security and compliance risks significantly. It also interferes with productivity, as developers have to spend their time addressing the issues.
“Daimler’s exposure of their Git repositories highlights how developers and security teams must work towards proactively identifying compliance and security issues before cloud resources are deployed. Instead of primarily relying on runtime security, organizations should “shift left” by taking preventative measures early on in their continuous integration and continuous delivery (CI/CD) pipelines. Such a proactive approach will allow organizations to prevent security issues from occurring and will enable security teams to catch misconfigurations before leaks occur,” he added.