Nissan North America has had the source code of mobile apps and internal tools leaked online after misconfiguring one of its Git Servers. The Git Server has default username and password (admin/admin) and is now taken offline. The Nissan is investigating the leak. Offering insight on the story are the following cybersecurity professionals.
<p>Using weak authentication is a huge security mistake for organizations that can have serious ramifications, including potentially leaking intellectual property, as we’ve seen with the Nissan source code exposure. Unfortunately, authentication issues are commonplace as our recent <a href=\"https://orca.security/public-cloud-security-risks-research\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=https://orca.security/public-cloud-security-risks-research&source=gmail&ust=1610451682768000&usg=AFQjCNG2Jsvv7HXImhW1eGsBrv8x4k5T7Q\">State of Public Cloud Security Report</a> found that 5.3 percent of organizations have at least one workload accessible using either a weak or leaked password. Multi-factor authentication (MFA) is an essential tool to help combat this challenge, but it is also being underutilized by organizations. Our research found that 23.5 percent of organizations aren’t using MFA to protect their high-risk accounts with super admin users. Strong authentication is key for organizations to conduct business in the digital economy, and critical breaches will continue to occur as long as hackers can easily find and exploit weak links.</p>
<p>Modern connected cars with convenient features like remote unlock, remote start require at least a 4 digit PIN to do it and strong authentication to use them. It’s curious then why the alleged source code repository for the backend and front-end for this technology wasn’t protected with an equally bare minimum security method. This is a classic example of the security being only as good as the weakest link – most likely in this case down to both human error and lack of process for risk scanning of critical infrastructure for vulnerable credentials and effective data security”.</p> <p>The recent Solarwinds situation should have prompted organisations across industry to be revisit their supply chain security, data security and authentication as a matter of priority – including any internet facing or cloud components. Access to code for potential core IoT/connected car applications opens up a raft of potential vulnerability exploits for attackers, if the claims of the full source code dump circulating on twitter are indeed true. Connected systems at the edge, including automotive components, are not always simple to update at a firmware level to address new threats, requiring dealership processes. This means any discovered exploits such as vulnerable TCP/IP stacks, credential management and offline authentication methods in the connected path to the vehicle’s bevvy of connected devices may indeed become targets for attacker analysis and compromise, made easier with access to source code.</p>
<p>It is a basic security control to change the vendor default passwords whenever a system is deployed. From the nature of the content, this should be a production system and reviewed prior to having the source code uploaded. This basic control forms part of most organizations ISMS standards, i.e. ISO27001 policies and regulations internally. As Nissan Japan had their 9001 certificate revoked in 2017 by authorities it is not the first time the successful implementation of good plans and strategies has not reached all the way to execution in the large organization.</p>