Media ZDNet learned that the Mercedes-Benz truck installed on the “smart car” parts source code leaked online over the weekend. Before the leak, Till Kottmann, a Swiss software engineer, discovered a Git portal belonging to Daimler AG. Daimler is a German car company with the Mercedes-Benz brand.
Kottmann told ZDNet that he could register an account on Daimler’s code hosting portal and download more than 580 Git repositories containing the source code for the in-car logic unit (OLU) installed on the Mercedes-Benz van.
What is OLU?
According to Daimler’s website, the OLU is a component between automotive hardware and software that connects vehicles to the cloud.
Daimler said OLU simplified technical access and management of real-time vehicle data and allowed third-party developers to create applications to retrieve data from Mercedes trucks.
These apps are typically used to track truck ingresss on the road, track the internal status of a truck, or freeze the truck to prevent theft.
Unsafe GitLab installation leaks OLU code
Kottmann told ZDNet that he found Daimler’s GitLab server using simple things like Google Dorks (a dedicated Google search query).
GitLab is a web-based package that companies use to centralize Git repositories.
Git is software designed to track source code changes that allows a multiplayer engineering team to write code and then sync the code to a central server — in this case, Daimler’s Gitlab-based web portal.
Kottmann told ZDNet: “When I’m bored, I often look for interesting GitLab instances, most of them using a simple Google dork, and I’ve always been surprised that security settings have been barely taken into account.” “
Kottman said Daimler failed to implement the account confirmation process, which allowed it to register an account on the company’s official GitLab server using a non-existent Daimler email.
The researcher said he downloaded more than 580 Git repositories from the company’s servers and plans to make them public over the weekend and upload files to several locations, including the file hosting service MEGA, Internet Archive and his own GitLab server.
In response, ZDNet reviewed some of the leaked Git repositories. None of the files they viewed contained open source licenses, which indicates that none of the files were proprietary information that should not be made public.
The leaked projects include the source code for the OLU components of the Mercedes van, as well as Raspberry Pi images, server images, Daimler internal components used to manage the remote OLU, internal documentation, code samples, and more.
Although the initial leaked data may seem harmless, the threat intelligence firm responsible for reviewing the data told ZDNet that it had discovered passwords and API tokens for Daimler’s internal systems. If these passwords and access tokens fall into the hands of someone with bad intentions, they could be used to plan and launch intrusions against Daimler’s cloud computing and internal networks.
Now, both ZDNet and Under the Breach have contacted Daimler, which has downloaded the data from GitLab servers. A Daimler spokesman did not respond to a formal request for comment.
Kottmann told ZDNet that he intended to leave Daimler’s source code online until the company asked him to delete it.
However, there are still some questions about the legality of Kottmann’s actions, as he did not attempt to notify the company before releasing the source code online over the weekend.
GitLab servers, on the other hand, allow anyone to sign up for an account, which some might interpret as an open system. In addition, zDNet’s review of the source code earlier today did not warn that it was a proprietary technology.