Lessons from the Mercedes-Benz GitHub source code leak

The German automotive giant Mercedes-Benz found itself on the wrong end of a software supply chain incident after RedHunt Labs found a leaked GitHub token belonging to an employee of the carmaker that granted "'unrestricted’ and 'unmonitored'" access to the entirety of source code hosted on Mercedes’ internal GitHub Enterprise Server.

In a post published on Monday, RedHunt Labs said that the exposed token “laid bare sensitive repositories housing a wealth of intellectual property.” That included Mercedes’ “Database Connection Strings, Cloud Access Keys, Blueprints, Design Documents, SSO Passwords, API Keys, and Other Critical internal information.”

The leaked GitHub access token was contained in a public GitHub repository belonging to the employee. In a statement issued to TechCrunch, a Mercedes representative Katja Liesenfeld acknowledged the security lapse. The statement came after the publication informed Mercedes-Benz of RedHunt’s discovery. Mercedes revoked the leaked API token and removed the public repository immediately.

We can confirm that internal source code was published on a public GitHub repository by human error. The security of our organization, products, and services is one of our top priorities. We will continue to analyze this case according to our normal processes. Depending on this, we [may] implement remedial measures.

Katja Liesenfeld

Here's what we know about the source code leak — and lessons to draw from it.

Special Report: The State of Software Supply Chain Security (SSCS) 2024Download Report: State of SSCS

Leaked development secrets: A common problem

Leaked secrets are a problem facing many organizations amidst the shift to modern, agile development with its heavy reliance on open source, third party codes, and platforms. ReversingLabs most recent State of Software Supply Chain Security report, for example, found more than 40,000 secrets spread across four major open-source repositories: npm, PyPI, RubyGems, and NuGet.

In many cases, loose developer practices and the absence of adequate checks for both raw and compiled code were the reason for the security exposure. For example, in the many cases of secret leaks via open source platforms that ReversingLabs observed during 2023, developers placed access tokens in their code or in comments to streamline publishing to these platforms. However, many forgot to remove these access tokens prior to uploading their code. For example, ReversingLabs found a package on an open-source repository with a “notes” file that included the developer’s log along with several tokens.

Mercedes-Benz and security: The best or nothing?

This isn’t the first time Mercedes-Benz has been tripped up by software supply chain security blunders. In May, 2020, for example, ZDNet reported that source code used in smart car components designed by Mercedes-Benz was exposed online as a result of a misconfigured Git registration system.

In that incident, Till Kottmann, a software engineer based in Switzerland, discovered a Git web portal belonging to Daimler AG, Mercedes-Benz’s parent company. According to the ZDNet report, Kottmann said he was able to register an account on Daimler's code-hosting portal, and then download more than 580 Git repositories containing the source code of onboard logic units (OLUs) installed in Mercedes vans.

In January, Mercedes-Benz also featured prominently in the report Web Hackers Versus The Auto Industry, in which a group of independent security researchers led by Sam Curry gained access to hundreds of mission-critical internal Mercedes-Benz applications via improperly configured single sign-on servers. That included accessing multiple Mercedes-Benz Github instances; SonarQube, Jenkins and other build servers; internal cloud deployment services for managing AWS instances; and internal Vehicle related APIs.

When every company is a software company

The struggles of legacy automotive and industrial firms to adapt to a modern and quickly evolving cyber threat landscape are well documented. (Curry and team ultimately discovered serious issues at 19 different automakers and suppliers to the automotive industry.)

What is less appreciated is the way in which cyber risks like software supply chain security lapses can quickly become matters of life and death, said Saša Zdjelar, Chief Trust Officer at ReversingLabs.

Repositories such as GitHub can include software that eventually makes it to the vehicle as well (as part of the CAN, Car Area Network) and ultimately plays a role in safety and other critical systems such as breaking, sensing, steering, security (eg. Alarm, locking/unlocking), location/tracking, etc. not just media and entertainment.

Saša Zdjelar

That raises the stakes for companies like Mercedes-Benz to prioritize software supply chain security.

It’s more critical than ever in world of escalating software supply chain breaches such as this one that companies can attest to regulators, customers, and investors that their software is free of malware; hasn’t been tampered with by a malicious actor; is cryptographically sound; doesn’t include embedded secrets; doesn’t exhibit overly permissive behaviors (including network connections to nefarious hosts); and has been compiled with appropriate hardening and secure configuration.

Saša Zdjelar

Supply chain security must go beyond legacy AppSec

Traditional application security tools such as static- and dynamic-application security testing (SAST and DAST), and software composition analysis (SCA) products generally overlook such threats because they were designed in a different era and for different purposes, he said.

But pressure is mounting on companies like Mercedes to address gaps in detection and awareness around software supply chain risk. In its October 2023 report, Mitigate Enterprise Software Supply Chain Security Risks, the analyst firm Gartner noted that the presence of operational and supply chain risks including technical debt and software are “lacking appropriate security controls and checks. Poor maintenance and security hygiene practices suggest an increased risk of vulnerabilities, project abandonment, and other risks at some point in the future.”