Mercedes-Benz “smart car” source code leaked – expert commentary

By   muhammad malik
Chief Editor , Information Security Buzz | May 18, 2020 11:30 pm PST

A security researcher discovered a misconfiguration in a Git web portal belonging to Daimler AG, the German automotive company behind the Mercedes-Benz brand. The researcher was able to access, download and leak over 580 Git repositories containing the source code for “smart car” components installed in Mercedes vans. The leaked projects also included Raspberry Pi images, server images, internal Daimler components for managing remote OLUs, internal documentation, code samples, and passwords and API tokens to Daimler’s systems.

Subscribe
Notify of
guest
1 Expert Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Chris DeRamus
Chris DeRamus , VP of Technology Cloud Security Practice
May 19, 2020 7:32 am

Misconfigured security settings is the top culprit behind many major data leaks and breaches. In fact, the number of records exposed by cloud misconfigurations rose by 80% in 2019. In this GitLab instance, bad actors could register an account on Daimler\’s code-hosting portal and download over 580 Git repositories containing the Mercedes source code and sell that information to the company’s competitors. Additionally, hackers could leverage the exposed passwords and API tokens of Daimler’s systems to access and steal even more of the company’s sensitive information.

Without a proactive approach to security, companies open themselves up to undue risk. Most organizations rely on detecting risks and misconfigurations in the cloud at runtime (after provisioning or creation) instead of preventing them during the build process, which increases security and compliance risks significantly. It also interferes with productivity, as developers have to spend their time addressing the issues.

Daimler’s exposure of their Git repositories highlights how developers and security teams must work towards proactively identifying compliance and security issues before cloud resources are deployed. Instead of primarily relying on runtime security, organizations should “shift left” by taking preventative measures early on in their continuous integration and continuous delivery (CI/CD) pipelines. Such a proactive approach will allow organizations to prevent security issues from occurring and will enable security teams to catch misconfigurations before leaks occur.

Last edited 3 years ago by Chris DeRamus

Recent Posts

1
0
Would love your thoughts, please comment.x
()
x