> Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, alerted TechCrunch to the exposure and asked for help in disclosing to the car maker. The London-based cybersecurity company said it discovered a Mercedes employee’s authentication token in a public GitHub repository during a routine internet scan in January.
That's a strange way to disclose a security security issue.
Indeed, especially when Googling "Mercedes report security issue" the page litterally populates the results with the address to email so it wasn't like it's hard to find.
> Indeed, especially when Googling "Mercedes report security issue" the page litterally populates the results with the address to email so it wasn't like it's hard to find.
Reporting via a third party isn't super unusual if you think that a organisation may be a bit legal threat happy from your report.
Call it what it is, a totally rat move placing Mercedes in risk for pure self-promotion purposes - instead of going via the vulnerability disclosure channel (first result on google when googling "mercedes security disclosure".)
I hope nobody is stupid enough to ever engage with this firm after this publicity stunt.
The only thing putting Mercedes at risk are previous sentences going heavy handed on ethical security researchers that bothered contacting german companies. You can find some examples online where just "poking" with leaked credentials not unlike OP was not looked favourably upon.
> The repositories include a large amount of intellectual property… connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API Keys [...]
That doesn't really sound like security best-practices would be applied. Why don't they use a credential store?
Just guessing as an outsider, but... it's a big, conservative car company trying to do software development. Reasons could include:
- Too much red tape/risk assessments/effort/time required to set up a credential store
- Devs working there may not know/understand the importance of it, and may not be up-to-date with modern software development practices.
- Assumption that Github repo will always be private, correctly configured, never leaked.
- Assumption that employee computers with code checked out will always be full disk encrypted and source code never read by a malicious program/transmitted somewhere else.
If you work in a company that makes software for a living, it's worth bearing in mind you are probably nearer the forefront of modern best practices and there are many companies in other industries that do some software as part of, but not the main part of the product, and these do not necessarily focus on software development and therefore may be "as hot" with best practices, to put it mildly.
I mean, I think it's fair to say that given they're developing their "Drive Pilot" level 2 SAE software, at least some of this code involves life-or-death systems. For that reason alone I'd expect a higher level of security awareness, so seeing how unhygienic their repos are from a sec perspective is a bit unsettling.
I do freelance security consulting. There's a cultural element to security that, when missing, leads to obvious problems like this. I'm struggling to think of an engagement where I didn't find improperly stored plaintext credentials somewhere. Credential stores are a constant recommendation.
It seems like they made a lot of assumptions that something like this wouldn't happen. They assumed employees would never leak secret information, and that their GitHub repos would never be exposed. They could've used https://doppler.com or AWS Secrets Manager (https://aws.amazon.com/secrets-manager/) and never had this problem. It's a little too easy to get comfortable thinking things work well the way they are. This should be a warning to other companies to seriously evaluate how they're storing and managing application secrets and credentials.
I wonder if any private keys used for signing genuine MB parts have leaked as well. Auto makers seem obsessed with controlling the spare part market and leaking the keys used to authenticate spare parts would make it possible for other vendors to produce compatible parts in the future.
Indeed. Ironically I had a porsche 928 which used an air actuator from Mercedes, and it was a fraction of the price from them. Parts guy at merc was a little sniffy, but it saved me £100!
The headline says "exposed source code". The article says it exposed keys, SSO passwords, and other things that sound much worse than exposing source code.
Some tiny fraction of source code has value as intellectual property, but most of it is probably not valuable or sensitive. Passwords/Keys/PII/Documents on the other hand could be very bad if they got lost.
Being closed source doesn’t strike me as an effective mitigation tactic. You can already buy aftermarket ECUs and such, and it’s pretty unlikely the garage would install anything that would invade your privacy more than what the manufacturers have installed. If they were going to do it as a prank or shortcut or misguided enhancement, they can do exactly the same thing with physical parts. I guess I just don’t see the threat vector here. The big benefit seems to be auto manufacturers being able to rely on security through obscurity, which has already failed:
> If it’s the case, each clown garage shop would be able to modify key characteristics of any car. And oh boy they will do it.
Car workshops would modify and compile their own distribution of the car source code? I can't say I have ever been to a workshop where I would imagine anything like that.
Open source here would clearly be a big win for security and bug identifications in cars. Better quality laws to go along with it to protect researchers would naturally be a big positive as well.
For a comparison look to Android. AOSP is open source, and whilst alternative, non-OEM, flavours of Android do exist (GrapheneOS, LineageOS, etc). But you don't see shops that fix or sell phones putting any of these on the phone. And if you did, would it be a security downgrade? I don't think so!
> Would you fly on aircraft knowing mechanic servicing it last night could have added something funny to the plane you are taking?
But... they could have done. Maybe not the software, but mechanically, of course it's possible. Why doesn't it happen though? I guess the same reasons why in general people act responsibly in society.
There is a difference between being able to inspect study and modify software for a car and installing modified versions on your or someone else's car. We already have regulations covering radio emissions, this could be the same: modify all you want but you can't install a modified version unless you validate the modifications with a certification authority. Btw, the cyber resilience act in EU will cover these cases.
You give the mechanic an opportunity to cut your brakelines too and they don't do it. It's part of the appliance, it should be accessible. Maybe I was imprecise with open-source, I meant more source-available.
As clown garage shop I already have access to the ECU, TCU and so on. And can change lots of internal settings. That's what we all did in the first auto-mechanics course.
Is this a joke? Mechanics can already swap critical parts with substandard replacements or finnagle sensor overrides with some tape. Why should software be so sacrosanct to the manufacturer and not the owner?
In a perfect world, you want to be able to safely ~hack~investigate every part of your car, including the logic that controls its servos, hydraulics, propulsion, etc.
So the whole OS and controler firmware should be open source, right?
It would be awesome but problems arise with qualifying which "devices" this should apply to. Are all self propelled four whelers cars? What about three wheelers? And why make a distinction on wheels? And if propulsion is the driver then I can see dealers suddenly selling you (proprietary) carriages and an added service of mountig an engine on them.
Soon enough you come to the point where absolutely everything needs to be open source. And while I would be happy to be part of that world, I don't really see a tangible way towards it. It just seems there is too much vested interest in defending the right for proprietary software.
The one avenue where there might be a sliver of hope for such an idea is maybe commercial aviation. That field is already overly regulated so it might be doable. There still will be a huge loophole in terms of military vehicles but it still seems vastly more rwalistic than forcing all car companies to opensource everything.
There is no way to prevent those unsafe hacks that wouldn't also prevent huge numbers of safe hacks which people accept and support as reasonable, and place a huge and undue amount of control into the auto manufacturer.
In the old days of Ma Bell, AT&T tried to prevent Hush-A-Phone from selling a mouthpiece cover designed to make it harder for others to overhear your conversation. AT&T argued that a foreign attachment like that could damage the phone network. A decade later AT&T sued Carterfone for selling an acoustic coupler to a radio, using the same justification of possible damage. AT&T lost both cases, and the latter case is why early personal computer modems were acoustically, not electrically, coupled.
We should not extend that same power to auto manufacturers.
> but problems arise with qualifying which "devices" this should apply to
Which is why this sort of legislation is done in steps. Focus on where it makes the most sense, get experience on how useful it is and what the negative consequences are, and use that experience to judge if anything else should be included.
I would like to start with forcing them to allow it as a low/no cost option, at least for some models.
Imagine people had the option when buying a car, truck or minivan of having it be open and tinkerable?
Most people won't care, but some hobbyists will. Some companies will love it, some startups might be founded for it. But eventually there will be a killer app, or huge benefit, and it will become more common until it is standard.
I'd imagine certain groups like farmers would jump on buying open source trucks, hoping they can get them to last longer, or repair them cheaper.
I am not sure it's manageable for a society, when random people start messing with code controlling breaks and stuff. You'd think that's neatly separated into a single purpose IC, but I fear it isn't. Gonna be a nightmare for insurances and courts.
Listening to the recent CES interviews by Jeff Geerling where car manufacturers explain how they see the process, with SOAFEE (the ROS knock off for cars) and other systems where they want software defined vehicles and complete freedom to change anything (and charge for those changes ofc) after they already sell them them it's honestly completely horrifying from the end user perspective.
As much as it would be nice for hobbyists, this is one can 2.0A of worms that needs to be kept as shut as possible by lawmakers.
So, maybe someone can go and help fix their miserable mess? MB used to make awesome cars. Then they 'modernized' their interior and it became a UI mess and then they added more and more software and it became unreliable and sometimes downright dangerous. I have driven their cars on and off for decades but I'm really done with them. Highly unlikely I'll have another MB as my daily driver.
I haven't been in a tesla in a number of years. First and only ride.
The map of cars around us having cars jumping to new locations and flipping between motorcycles and buses for the same neighboring vehicle did not inspire confidence. The car seemed confused on its surroundings.
An exiting lane to our left on the freeway came to a stop during autopilot and thought our lane stopped so it slammed on the breaks nearly causing the car behind us to crash into us.
> The repositories include a large amount of intellectual property… connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API Keys, and other critical internal information.”
Any senior developer or a security researcher knows this kind of secrets should not be part of the source code repository. Has Mercedes-Benz a rotten software development culture?
What I want to know is how are they not using a secret manager (like Doppler or AWS Secrets Manager) at a company of this size? They could have avoided all of this. These types of leaks can cost companies everything (from their data to customer trust).
The root cause: They are not using it because engineers who committed securities to a GitHub repository are not going to have any repercussions. Their salary does not depend on, like the salary of their bosses. So it does not cost anything on a personal level.
They call themselves a software company. The guys in India that develop the software know what they are doing but the managers in Germany have no clue what they are doing. Sitting all day in meetings planning strategies for beating Tesla. The guys in India are mostly fixing bugs in software released years ago.
Many car companies are transitioning from a predominantly mechanical engineering space to a predominantly software engineering space, along with all the legacy mindset that comes with. It's par for the course when they can't understand that they're now a tech company and need to invest as such.
Readit News
That's a strange way to disclose a security security issue.
Reporting via a third party isn't super unusual if you think that a organisation may be a bit legal threat happy from your report.
Hard for me to take this particular outfit seriously after they decided to optimise for engagement by running to Entertainment Tonight.
I hope nobody is stupid enough to ever engage with this firm after this publicity stunt.
https://www.theregister.com/2024/01/19/germany_fine_security...
https://www.darkreading.com/vulnerabilities-threats/another-...
That doesn't really sound like security best-practices would be applied. Why don't they use a credential store?
- Too much red tape/risk assessments/effort/time required to set up a credential store
- Devs working there may not know/understand the importance of it, and may not be up-to-date with modern software development practices.
- Assumption that Github repo will always be private, correctly configured, never leaked.
- Assumption that employee computers with code checked out will always be full disk encrypted and source code never read by a malicious program/transmitted somewhere else.
If you work in a company that makes software for a living, it's worth bearing in mind you are probably nearer the forefront of modern best practices and there are many companies in other industries that do some software as part of, but not the main part of the product, and these do not necessarily focus on software development and therefore may be "as hot" with best practices, to put it mildly.
It is a major source of revenue and allows for markups to be optimized for brand.
A lot of parts are shared across lines within a manufacturer and across manufacturers.
MB wants their customers buying MB parts with an MB markup. Even if it's a Bosch part that is identical in a Ford.
Some tiny fraction of source code has value as intellectual property, but most of it is probably not valuable or sensitive. Passwords/Keys/PII/Documents on the other hand could be very bad if they got lost.
Dead Comment
If it’s the case, each clown garage shop would be able to modify key characteristics of any car. And oh boy they will do it.
Would you fly on aircraft knowing mechanic servicing it last night could have added something funny to the plane you are taking?
https://news.ycombinator.com/item?id=35452963
Car workshops would modify and compile their own distribution of the car source code? I can't say I have ever been to a workshop where I would imagine anything like that.
Open source here would clearly be a big win for security and bug identifications in cars. Better quality laws to go along with it to protect researchers would naturally be a big positive as well.
For a comparison look to Android. AOSP is open source, and whilst alternative, non-OEM, flavours of Android do exist (GrapheneOS, LineageOS, etc). But you don't see shops that fix or sell phones putting any of these on the phone. And if you did, would it be a security downgrade? I don't think so!
> Would you fly on aircraft knowing mechanic servicing it last night could have added something funny to the plane you are taking?
But... they could have done. Maybe not the software, but mechanically, of course it's possible. Why doesn't it happen though? I guess the same reasons why in general people act responsibly in society.
In fact, it's a core thing in aviation for maintenance, repair, but also modification/changes to be decoupled from vendor.
It's pretty normal for a vendor to not exist for a generation or two while the plane is still in productive work.
In a perfect world, you want to be able to safely ~hack~investigate every part of your car, including the logic that controls its servos, hydraulics, propulsion, etc.
So the whole OS and controler firmware should be open source, right?
It would be awesome but problems arise with qualifying which "devices" this should apply to. Are all self propelled four whelers cars? What about three wheelers? And why make a distinction on wheels? And if propulsion is the driver then I can see dealers suddenly selling you (proprietary) carriages and an added service of mountig an engine on them.
Soon enough you come to the point where absolutely everything needs to be open source. And while I would be happy to be part of that world, I don't really see a tangible way towards it. It just seems there is too much vested interest in defending the right for proprietary software.
The one avenue where there might be a sliver of hope for such an idea is maybe commercial aviation. That field is already overly regulated so it might be doable. There still will be a huge loophole in terms of military vehicles but it still seems vastly more rwalistic than forcing all car companies to opensource everything.
I really don't think the standard "safely ~hack~investigate~" is reasonable, for both practical and policy reasons.
By focusing on an imaginary perfect world, you take focus away from the real word, where we know people do unsafe hacks to their car already, even without touching software, like https://honda-tech.com/articles/crash-kills-man-in-home-buil... .
There is no way to prevent those unsafe hacks that wouldn't also prevent huge numbers of safe hacks which people accept and support as reasonable, and place a huge and undue amount of control into the auto manufacturer.
In the old days of Ma Bell, AT&T tried to prevent Hush-A-Phone from selling a mouthpiece cover designed to make it harder for others to overhear your conversation. AT&T argued that a foreign attachment like that could damage the phone network. A decade later AT&T sued Carterfone for selling an acoustic coupler to a radio, using the same justification of possible damage. AT&T lost both cases, and the latter case is why early personal computer modems were acoustically, not electrically, coupled.
We should not extend that same power to auto manufacturers.
> but problems arise with qualifying which "devices" this should apply to
Which is why this sort of legislation is done in steps. Focus on where it makes the most sense, get experience on how useful it is and what the negative consequences are, and use that experience to judge if anything else should be included.
That's why the Motor Vehicle Owners' Right to Repair Act (see https://en.wikipedia.org/wiki/Motor_Vehicle_Owners'_Right_to... focuses only on motor vehicles, and not the right to repair all machinery and devices.
Why?
Same with aviation software.
Anything that deals with public safety should be audited by the public.
Deleted Comment
Imagine people had the option when buying a car, truck or minivan of having it be open and tinkerable?
Most people won't care, but some hobbyists will. Some companies will love it, some startups might be founded for it. But eventually there will be a killer app, or huge benefit, and it will become more common until it is standard.
I'd imagine certain groups like farmers would jump on buying open source trucks, hoping they can get them to last longer, or repair them cheaper.
As much as it would be nice for hobbyists, this is one can 2.0A of worms that needs to be kept as shut as possible by lawmakers.
The map of cars around us having cars jumping to new locations and flipping between motorcycles and buses for the same neighboring vehicle did not inspire confidence. The car seemed confused on its surroundings.
An exiting lane to our left on the freeway came to a stop during autopilot and thought our lane stopped so it slammed on the breaks nearly causing the car behind us to crash into us.
Any senior developer or a security researcher knows this kind of secrets should not be part of the source code repository. Has Mercedes-Benz a rotten software development culture?
Deleted Comment