[German]There has been a security incident at Mercedes Benz. A Swiss engineer found a GitLab server where he could create an account and then access the source code of onboard logic units (OLUs). These OLUs are built into the new 'Smart Car' models of the Mercedes-Benz VANs (Vito, eVito) and allow the use of Daimler digital services.
Advertising
Mercedes-Benz: Digitalization in transport sector
First a few words about OLUs. Onboard Logic Units (OLUs) are electronic control units that are also used in Mercedes-Benz vehicles (Smart Car). Mercedes Benz VANS describes their purpose in the project 'Digitalization in the transport sector' in this German blog post. There they wrote:
The current generation of the Sprinter (VANs) came onto the market as a fully networked vehicle just over a year ago. With it – and now also with the Vito and eVito models – the Mercedes PRO connect services can be used.
The networking solution from Mercedes-Benz enables customers to control orders online and to request vehicle information such as location, tank level or maintenance intervals in almost real time. Among other things, transport companies can reduce downtimes through forward-looking maintenance and repair management. At the same time, Mercedes-Benz also enables a business management analysis of the fleet. According to the blog post, fleet operators from small businesses to major customers use the services of Mercedes PRO. In July 2019 almost every second new Sprinter customer had activated one or more services.
Access to the source code
Daimler has stored the source code of the software for this onboard logic units on a GitLab server so that developers can access it.
A Swiss software engineer found the server using Google dorks and then registered an account — because Daimler didn't limit the registration process to Daimler corporate emails.
He then downloaded 580 of Daimler's OLU repos. pic.twitter.com/9oxbqS3PqT
— Catalin Cimpanu (@campuscodi) May 18, 2020
Apparently, the Daimler people made a mistake in securing the GitLab server. Till Kottmann is a software developer from Switzerland. He came across the Daimler GitLab server via 'Google Dorks' and discovered that the administrators had not limited the registration of new accounts to e-mail addresses of Daimler employees.
Advertising
According to him, this enabled him to create his own account at the Git-Web portal of the Mercedes-Benz parent company Daimler. He could then access the source code repository. There he found the source code of more than 580 Git repositories, which he downloaded.
Among them was the source code of the Onboard Logic Units (OLUs) that are installed in Daimler vehicles. The OLUs are supposed to connect the vehicles 'with the cloud'. Among other things, this involves tracking vehicles, or deactivating a stolen vehicle. An article from ZDNet with more details can be found here.
