Information Security Buzz reported findings from a security researcher, who recently discovered a misconfiguration in a Git web portal belonging to Daimler AG, parent company of Mercedes-Benz.

The researcher was able to access, download and leak over 580 Git repositories containing source code for “smart car” components installed in Mercedes vans. The leaked projects also included Raspberry Pi images, server images, internal Daimler components for managing remote onboard logic units (OLUs), internal documentation, code samples, passwords, and API tokens.

So why is this important? Aside from the potential damage to Daimler’s corporate intellectual property, the leak of information from the OLUs could be detrimental to their customers. An OLU is a component that sits between the car’s hardware and software, connecting the vehicle to the cloud. It simplifies technical access and the management of live vehicle data, allowing  third-party developers to create apps that retrieve data from Mercedes vehicles. For example, if your car is stolen, an application that accesses the car’s OLU could be used to freeze it. In the hands of an untrusted person, this sensitive information could be used maliciously.

Aside from the potential damage to both the company and its customers, the broader concern is the underlying misconfiguration that made Daimler’s information publicly accessible. Our very own Chris DeRamus, VP of Technology, reminded Information Security Buzz of the prevalence of cloud misconfigurations.

Misconfigured security settings is the top culprit behind many major data leaks and breaches. In fact, the number of records exposed by cloud misconfigurations rose by 80% in 2019. In this GitLab instance, bad actors could register an account on Daimler’s code-hosting portal and download over 580 Git repositories containing the Mercedes source code and sell that information to the company’s competitors. Additionally, hackers could leverage the exposed passwords and API tokens of Daimler’s systems to access and steal even more of the company’s sensitive information.

Chris DeRamus, VP of Technology, DivvyCloud by Rapid7

To read more about the pervasiveness of this problem, check out our 2020 Cloud Misconfigurations Report

Similar resources that you may also enjoy

podcast

Why Identity Access Management is the New Perimeter

Evaluating and managing cloud security risk during the Mergers… 

View all Blog Posts
Guide

Augmenting Native Cloud Service Provider Security

Most organizations already have some level of cloud infrastructure… 

View all Blog Posts
Video

Podcast: Shifting Cloud Security Left With Infrastructure-as-Code

Evaluating and managing cloud security risk during the Mergers… 

View all Blog Posts