Information Security Buzz reported findings from a security researcher, who recently discovered a misconfiguration in a Git web portal belonging to Daimler AG, parent company of Mercedes-Benz.
The researcher was able to access, download and leak over 580 Git repositories containing source code for “smart car” components installed in Mercedes vans. The leaked projects also included Raspberry Pi images, server images, internal Daimler components for managing remote onboard logic units (OLUs), internal documentation, code samples, passwords, and API tokens.
So why is this important? Aside from the potential damage to Daimler’s corporate intellectual property, the leak of information from the OLUs could be detrimental to their customers. An OLU is a component that sits between the car’s hardware and software, connecting the vehicle to the cloud. It simplifies technical access and the management of live vehicle data, allowing third-party developers to create apps that retrieve data from Mercedes vehicles. For example, if your car is stolen, an application that accesses the car’s OLU could be used to freeze it. In the hands of an untrusted person, this sensitive information could be used maliciously.
Aside from the potential damage to both the company and its customers, the broader concern is the underlying misconfiguration that made Daimler’s information publicly accessible. Our very own Chris DeRamus, VP of Technology, reminded Information Security Buzz of the prevalence of cloud misconfigurations.
Misconfigured security settings is the top culprit behind many major data leaks and breaches. In fact, the number of records exposed by cloud misconfigurations rose by 80% in 2019. In this GitLab instance, bad actors could register an account on Daimler’s code-hosting portal and download over 580 Git repositories containing the Mercedes source code and sell that information to the company’s competitors. Additionally, hackers could leverage the exposed passwords and API tokens of Daimler’s systems to access and steal even more of the company’s sensitive information.Chris DeRamus, VP of Technology, DivvyCloud by Rapid7
To read more about the pervasiveness of this problem, check out our 2020 Cloud Misconfigurations Report.