Mercedes-Benz “smart car” source code leaked – expert commentary

A security researcher discovered a misconfiguration in a Git web portal belonging to Daimler AG, the German automotive company behind the Mercedes-Benz brand. The researcher was able to access, download and leak over 580 Git repositories containing the source code for “smart car” components installed in Mercedes vans. The leaked projects also included Raspberry Pi images, server images, internal Daimler components for managing remote OLUs, internal documentation, code samples, and passwords and API tokens to Daimler’s systems.

Experts Comments

May 19, 2020
Chris DeRamus
VP of Technology Cloud Security Practice
Rapid7
Misconfigured security settings is the top culprit behind many major data leaks and breaches. In fact, the number of records exposed by cloud misconfigurations rose by 80% in 2019. In this GitLab instance, bad actors could register an account on Daimler's code-hosting portal and download over 580 Git repositories containing the Mercedes source code and sell that information to the company’s competitors. Additionally, hackers could leverage the exposed passwords and API tokens of Daimler’s.....Read More
Misconfigured security settings is the top culprit behind many major data leaks and breaches. In fact, the number of records exposed by cloud misconfigurations rose by 80% in 2019. In this GitLab instance, bad actors could register an account on Daimler's code-hosting portal and download over 580 Git repositories containing the Mercedes source code and sell that information to the company’s competitors. Additionally, hackers could leverage the exposed passwords and API tokens of Daimler’s systems to access and steal even more of the company’s sensitive information. Without a proactive approach to security, companies open themselves up to undue risk. Most organizations rely on detecting risks and misconfigurations in the cloud at runtime (after provisioning or creation) instead of preventing them during the build process, which increases security and compliance risks significantly. It also interferes with productivity, as developers have to spend their time addressing the issues. Daimler’s exposure of their Git repositories highlights how developers and security teams must work towards proactively identifying compliance and security issues before cloud resources are deployed. Instead of primarily relying on runtime security, organizations should “shift left” by taking preventative measures early on in their continuous integration and continuous delivery (CI/CD) pipelines. Such a proactive approach will allow organizations to prevent security issues from occurring and will enable security teams to catch misconfigurations before leaks occur.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.