must read Intel investigating breach after 20GB of internal documents leak online

Mercedes-Benz onboard logic unit (OLU) source code leaks online

Daimler allowed anyone to register on one of its on-premise GitLab servers.

Image: Daimler

The source code for "smart car" components installed in Mercedes-Benz vans has been leaked online over the weekend, ZDNet has learned.

The leak occurred after Till Kottmann, a Swiss-based software engineer, discovered a Git web portal belonging to Daimler AG, the German automotive company behind the Mercedes-Benz car brand.

Kottmann told ZDNet that he was able to register an account on Daimler's code-hosting portal, and then download more than 580 Git repositories containing the source code of onboard logic units (OLUs) installed in Mercedes vans.

What's an OLU?

According to the Daimler website, the OLU is a component that sits between the car's hardware and software, and "connects vehicles to the cloud."

Daimler says the OLU "simplifies technical access and the management of live vehicle data" and allows third-party developers to create apps that retrieve data from Mercedes vans.

These apps are usually employed for features such as tracking vans while on the road, tracking a van's internal status, or for freezing vans in case of theft.

Unsecured GitLab installation leaks OLU code

Kottmann told ZDNet in an interview today that he found Daimler's GitLab server using something as simple as Google dorks (specialized Google search queries).

GitLab is a web-based software package that companies use to centralize work on Git repositories.

Git is specialized software for keeping track of changes in source code and is allows multi-person engineering teams to write code and then synchronize it to a central server -- in this case, Daimler's GitLab-based web portal.

"I often just hunt for interesting GitLab instances, mostly with just simple Google dorks, when I'm bored, and I keep being amazed by how little thought seems to go into the security settings," Kottmann told ZDNet.

"This was honestly just a very lucky find while I was going through some brand names I hadn't checked before in hopes of finding like some small contractors or something."

Kottmann says Daimler failed to implement an account confirmation process, which allowed him to register an account on the company's official GitLab server using a non-existent Daimler corporate email.

The researcher says he downloaded more than 580 Git repositories from the company's server, which he made publicly available over the weekend, uploading the files in several locations such as file-hosting service MEGA, the Internet Archive, and on his own GitLab server.

A Telegram channel where Kottmann published links to the Daimler data.

Image: ZDNet

Image of Kottmann's own GitLab server hosting the Daimler data.

Image: ZDNet

ZDNet has reviewed some -- not all -- of the leaked Git repositories. None of the files we viewed included an open-source license, suggesting this was proprietary information that was not meant to have been made public.

The leaked projects included the source code of Mercedes vans OLU components, but also Raspberry Pi images, server images, internal Daimler components for managing remote OLUs, internal documentation, code samples, and more.

While the leak appeared to be harmless in the beginning, threat intelligence firm Under the Breach, which also reviewed the data, told ZDNet they discovered passwords and API tokens for Daimler's internal systems. These passwords and access tokens, in the wrong hands, could be used to plan and mount future intrusions against Daimler's cloud and internal network.

After both ZDNet and Under the Breach reached out today to Daimler, the company took down the GitLab server from where Kottmann downloaded the data. A Daimler spokesperson did not return a formal request for comment.

Kottmann told ZDNet he intends to leave Daimler's source code online until the company reaches out to request he takes it down.

However, some questions remain about the legality of Kottmann's actions, as he did not attempt to notify the company before publishing its source code online over the weekend.

On the other hand, the GitLab server allowed anyone to register an account, which some could interpret as being an open system. Furthermore, source code that ZDNet reviewed earlier today did not contain warnings that this was proprietary technology.