A GitLab server from the mother Daimler allows everyone to create an account. A Swiss security researcher pulls data from hundreds of repositories and publishes it on the Internet. The data contains not only source code, but also passwords and API tokens.
The carmaker Mercedes-Benz has apparently not adequately secured a server with source code for smart car components for trucks. The Swiss software engineer Till Kottmann said he was able to create his own account for a Git web portal of the Mercedes-Benz parent Daimler and to access the code stored there.
In total, Kottmann downloaded code from more than 580 Git repositories. This included source code for the company’s onboard logic units (OLU). These are components that sit between a vehicle’s hardware and software and connect it to the cloud. OLUs “simplify technical access to and management of live vehicle data,” says the Daimler website. Among other things, applications for tracking vehicles or switching off in the event of vehicle theft are implemented.
Kottman found the open GitLab server using a Google Dorks search. “I often look for interesting GitLab instances, mostly with Google Dorks when I’m bored, and I’m always surprised at how easy it is to get into security settings,” the researcher said. “It was honestly a very lucky find while I was just going through a couple of brand names hoping to find a small supplier or something.”
Daimler failed to create a whitelist for the registration of new accounts. This allowed him to create an account with the official GitLab server from Daimler even without a company email address. Kottmann published the data from the more than 580 repositories on Mega and the Internet Archive, among others. In addition to source code for OLU components, this also included images for Raspberry Pi, server images, internal documents for the management of OLUs from a distance, sample code and internal documentation.
In addition, the security provider Under The Breach found passwords and API tokens for internal systems from Daimler during an analysis of the data. In the wrong hands, both could favor the planning of attacks on Daimler’s internal network.
The GitLab server has now been switched off. Kottmann, however, announced that he would not delete the copies he had published until Daimler had asked him to do so. There is also the question of whether Kottmann’s action violates the law because he apparently did not try to contact Daimler before he published the data. However, according to Kottmann, the GitLab server was configured so that anyone could create an account – as if it were an open system. There were no warnings in the code that it was intellectual property of Daimler or Mercedes-Benz.