Mercedes-Benz owner Daimler left 580 repos open on the Internet—naked and unprotected. A Swiss researcher discovered the trove with a simple dork—a crafted Google search term.
The code controls the onboard logic units (OLU) in the company’s vans. It also includes passwords and API tokens for Daimler cloud services.
Red faces in Stuttgart, und so weiter. In this week’s Security Blogwatch, we learn from others’ mistakes.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Janet has a plan.
OLU OSINT OOPS
What’s the craic? Catalin Cimpanu reports—OLU source code leaks online:
The source code for … components installed in Mercedez-Benz vans has been leaked online. … Daimler allowed anyone to register on one of its … servers.
…
Till Kottmann, a Swiss-based software engineer, discovered a … web portal belonging to Daimler AG, the German automotive company behind the Mercedes-Benz car brand. … He was able to register an account on Daimler's code-hosting portal, and then download more than 580 Git repositories containing the source code of … OLUs installed in Mercedez vans.
…
The leak [includes] passwords and API tokens for Daimler's internal systems. … In the wrong hands, [they] could be used to plan and mount future intrusions against Daimler's cloud and internal network.
…
Kottmann … found Daimler's GitLab server using something as simple as … Google search queries. … "I often just hunt for interesting GitLab instances … and I keep being amazed by how little thought seems to go into the security settings."
…
A Daimler spokesperson did not return a formal request for comment.
OLU? Jay Jay explains—Daimler AG left OLU source code of Mercedes vans accessible to anyone:
Onboard logic units or OLUs are the control unit of Mercedes vans, connecting them to the cloud and enabling third-party developers to create apps that retrieve data of the vehicle like the van's internal status or for freezing vans in case of theft.
Ohhh, “the cloud,” eh? Malays2 bowman denies they’re a cammo wearing kook:
Do. Not. Want. I see a rather profitable cottage industry popping up that involves removing/bypassing this ****.
People laugh whenever somebody mentions "New World Order", and they risk being labeled a cammo wearing kook who loves to play GI-Joe in the woods with a rusty AK-47. [But] there is nothing supernatural or unreal about it. It's yet another classic power grab, but this time taken up a few notches.
Uhhh, okay. Chris de Ramus drives the story home, co-piloted by Duncan Riley—Mercedes-Benz source code exposed via misconfigured Git registration system:
In this GitLab instance, bad actors could register an account on Daimler’s code-hosting portal and download over 580 Git repositories containing the Mercedes source code and sell that information to the company’s competitors. … Additionally, hackers could leverage the exposed passwords and API tokens of Daimler’s systems to access and steal even more of the company’s sensitive information.
…
Without a proactive approach to security, companies open themselves up to undue risk. Most organisations rely on detecting risks and misconfigurations in the cloud at runtime … instead of preventing them during the build process, which increases security and compliance risks significantly. It also interferes with productivity, as developers have to spend their time addressing the issues.
…
Organizations should ‘shift left’ by taking preventative measures early on in their … CI/CD pipelines. … Such a proactive approach will allow organizations to prevent security issues from occurring and will enable security teams to catch misconfigurations before leaks occur.
So what are these search queries? Chris Ueland and Courtney Couch aren’t dorks—Exploring Google Hacking Techniques:
A Google Dork … is a valuable resource for security researchers. For the average person, Google is just a search engine. … However, in the infosec world, Google is a useful hacking tool.
…
As it has tremendous web-crawling capabilities, [Google] can index almost anything within your website, including sensitive information. This means you could be exposing too much information about your web technologies, usernames, passwords, and general vulnerabilities without even knowing it.
…
Google’s search engine has its own built-in query language. … Queries can be run to find a list of files, find information about your competition, track people, get information about SEO backlinks, build email lists, and of course, discover web vulnerabilities.
…
To prevent your sensitive information from being indexed by search engines:
- Protect private areas with … authentication and … IP-based restrictions.
- Encrypt your sensitive information. …
- Run regular dork queries against your own website. …
- If you find sensitive content exposed, request its removal by using Google Search Console.
- Block sensitive content by using a robots.txt file.
And what does the perp have to say for themself? @deletescape:
The leak is around 550 repos and very well documented. … It's a hardware platform for a very specific usecase, but this leak should allow recreating it with low cost hardware.
…
I purely do this out of curiosity. … It's just so interesting to look at the stuff people never thought anyone would see and figure out how it works.
…
Most of the stuff I post is public repos on gitlab instances (great threat models huh), or just the same kind of instances where I can simply sign up myself. At least under Swiss law this is somewhat of a gray zone, but I obviously know that I'm walking a very thin line here.
…
I love helping companies open source their code. … ;)
However, vtcodger raises the other hand:
OTOH, you're likely going to be annoyed when some bored teenager in Mongolia succeeds in locking you and all other owners of your vehicle model out of your cars – at least until the nearest dealer can motor out with a specialized tool and unbrick the thing. Might be bit of a service queue involved.
Connectivity is not without risks. There's probably some optimum balance between connection and local autonomy. But I can't see much sign that car makers, and especially luxury vehicle makers are seeking that balance out.
And @SchizoDuckie swearily criticizes Kottmann:
What an *******. I hope he gets sued into oblivion.
…
Dumping it all online on various sources 'for the lulz' is a dick move.
Meanwhile, Ken_g6’s offering is an older meme, sir; but it checks out:
So what they're saying is that … OLU base are belong to us?
The moral of the story?
DevSecOps red-team exercises need to include OSINT from dorking, etc.
And finally
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image sauce: Dronsfields Mercedes (cc:by)
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
