Nissan investigating possible source code exposure

[mood]

Nissan investigating possible source code exposure

 

Nissan is examining whether source code for its North American division’s mobile apps, marketing tools and more have leaked online, the company said.

“We are aware of a claim regarding a reported improper disclosure of Nissan’s confidential information and source code,” said a Nissan spokesperson. “We take this type of matter seriously and are conducting an investigation.”

 

Tillie Kottmann, a software engineer, publicized the apparently leaked information earlier this week on Twitter and Telegram. They told CyberScoop the information came via a “severely mismanaged” server that had the username and password of “admin:admin.”

“I was informed about the server by an anonymous source but acquired it myself and can thus mostly verify it,” Kottmann said via a Twitter direct message exchange. Kottmann said they also heard some ex-Nissan employees recognized projects there.

 

Poorly configured servers are a common source of online data leaks, in recent months afflicting Razer, medical scans, hotel guests, dating websites and more.

 

On Monday, Kottmann said the server exposed a broad range of data.

RELEASE: Nissan North America Source Code Dump

A COMPLETE dump of all git repositories from Nissan NA, most notably including sources for:
– the Nissan NA Mobile apps
– some parts of the ASIST diagnostics tool
– the Dealer Business Systems / Dealer Portal
(1/n) pic.twitter.com/ltDvg9blTB

— tillie, doer of crime (@antiproprietary) January 4, 2021

Nissan Canada previously suffered a data breach in 2017.

 

Kottmann, a Swiss IT consultant and developer, has previously publicized security shortcomings at Deloitte, Mercedes-Benz, Intel and elsewhere.

 

The technology news site ZDNet first reported on the incident Wednesday.

 

 

Source: Nissan investigating possible source code exposure

[mood]

Nissan NA source code leaked due to default admin:admin credentials

 

 

Multiple code repositories from Nissan North America became public this week after the company left an exposed Git server protected with default access credentials.

 

The entire collection is around 20 gigabytes large and contains source code for mobile apps and various tools used by Nissan internally for diagnostics, client acquisition, market research, or NissanConnect services.

 

It is unclear if Nissan learned about the leak by itself or received a tip, but the company took down the insecure server on Tuesday before media outlets started publishing news of the incident.

Complete git repos dump

Swiss developer and reverse engineer Tillie Kottmann, who maintains a repository of leaked source code from various sources and their scouting of misconfigured devops tools, posted a summary of the Nissan leak:

• Nissan NA Mobile apps
• Parts of the ASIST Diagnostic System software
• Dealer Business Systems/Dealer Portal
• Nissan internal core mobile library
• Nissan/Infiniti NCAR/ICAR services
• Client acquisition and retention tools
• Sale/market research tools and data
• Various marketing tools
• Vehicle logistics portal
• Vehicle connected services/Nissan connect things
• Various other backends and internal tools

Kottmann told BleepingComputer that someone had informed them of the server and the admin/admin access credentials. Once the word got out, a torrent link for Nissan source code collection started being shared online; so despite Nissan's effort, the data remains in the hands of unauthorized third-parties.

Repository pulled

In a conversation with Kottmann, they said that the company contacted them about hosting the repositories and that they would likely remove them. It happened on Thursday.

 

The developer told us on a different occasion that they comply with takedown requests and are even willing to provide tips for improving the security of a company's infrastructure if asked.

 

Their public repository on GitLab contains folders with data from big companies like Pepsi, Toyota, SunTech, AMD, Motorola, Mediatek, Sierra Nevada Corporation, or the U.S. Air Force Research Laboratory.

 

Although not all folders have sensitive data they may contain information meant to be private or that could lead to protected assets.

 

 

Source: Nissan NA source code leaked due to default admin:admin credentials

[mood]

Legal recourse? Nissan balances competitive and security fallout from source code leak

 

Nissan cars are displayed at a dealership on July 25, 2019 in New York City. The company experienced a source code leak, due to a misconfigured Git server. (Spencer Platt/Getty Images)

 

News that source code of Nissan North America tools leaked online because of a misconfigured Git server spurs questions not only about potential cyberattacks by bad actors, but also whether competitors could use the sensitive data against the automobile giant.

 

Nissan offerings associated with the leaked source code ran the gamut from Nissan North America mobile apps and Nissan’s internal core mobile library to some parts of the Nissan ASIST diagnostic tool and sales and marketing research tools and data. The Git server has since been taken offline, after data began to get shared on Telegram and hacking forums.

 

Based on discussions with intellectual property lawyers, Nissan may have some recourse in terms of filing injunctions and suing for damages under copyright, trade secrets and patent laws. To do so, the auto maker will have to expend a great deal of resources to track violators down and bring them to court. This assumes that the violators are in the United States and the company could take action under U.S. law.

 

Thomas Moga, a senior counsel and intellectual property attorney at Dykema, which has many automotive clients, said that according to the U.S. Copyright Office, laws protect original works of authorship “fixed in a tangible medium of expression.” Moga added that under that definition, source code can qualify for protection under the copyright laws.

“So it appears that Nissan owns a copyright in the source code and that it may well be in a position to bring an action against unauthorized users of its source code,” Moga said. “But it’s up to Nissan to pursue those actions; I think we can expect them to be very aggressive, as they should be.”

 

Jennifer DeTrani, general counsel and executive vice president of Nisos, added that Nissan could potentially file lawsuits as part of a legal strategy to repair the reputational damage from the leak, showing the public they are serious about protecting their vehicles. But legal remedies would not yield much.

“Collecting damages under copyright law assumes that there’s somebody with deep pockets to sue who would pay,” DeTrani said. “Any competent lawyer could get the case thrown out by pointing out to the court that the company did not adequately protect those secrets,” considering that the company kept the default username and password of admin/admin. And “while patented, and therefore protectable material may exist within the code library, they would have to prove that a competitor infringed on their patent to use this approach.”

 

DeTrani added that it’s mostly on Nissan to close the gaping hole in their security posture, rewrite and start over. She said once source code has been openly shared, that typically leaves a company with very few options. Nissan could also pursue lawsuits with the platforms where the code gets shared and try to get it taken down, but that won’t be very successful, said DeTrani.

“The platform companies are often served with notices that they are violating proprietary rights,” DeTrani said. “It becomes very hard to adjudicate those rights within platforms even though terms and conditions may technically protect a rights holder.”  If Nissan, for example, asserted that their copyright is being infringed, many copyrights are unregistered and a platform would require a court order to get involved.  Even then, platform companies are inundated with requests. Maybe more noteworthy, DeTrani said, “the harm is already done, because the code has been pulled down into private libraries that hackers maintain separately from the platforms in which the code may initially appear.”

 

The view from the security pros

 

News of the breach went public when Tillie Kottmann, the Swiss-based software engineer who learned of the leak from an anonymous source, shared her analysis with ZDNet, which reported that Nissan confirmed it had conducted an investigation regarding improper access to proprietary company source code.

 

Nissan said that it takes the matter seriously and they are confident that no personal data from consumers, dealers or employees was accessible in this security incident. The auto maker said the affected system has been secured and they are “confident that there’s no information in the exposed source code that would put consumers or their vehicles at risk.”

 

Justin Zeefe, co-founder and CEO of Nisos, said he was less concerned about one of Nissan’s competitors getting ahold of the source code compared with potential damage from a malicious hacker.

“I think there will be people who look for ways to monetize this breach,” Zeefe said. “A malicious hacker who wants to demonstrate their capacity could potentially find within the code a way to manipulate the software to cause physical damage to the car and potentially the occupants. I can’t speak to the specific plausibility in this case, but as physical and digital continue to merge, loss of intellectual property can do more than damage reputation.”

 

Stephen Banda, senior manager, security solutions at Lookout, said while security teams should always prioritize preventing unauthorized system access and data leakage, it becomes especially important when leaked data can jeopardize customer privacy as well as physical safety.

“Today, anyone with a newer vehicle may be using a mobile app to perform a number of functions, such as starting the engine, locking/unlocking doors, setting a daily remote start schedule, or storing trip history,” Banda said. “However, as shown by the Nissan data leak, any time we use mobile apps in general, we need to understand the potential risk tradeoff we make for the convenience that these apps offer.”

 

By leaking source code to its mobile vehicle app as well as its internal core mobile library, Nissan has provided hackers with a roadmap for developing malicious apps and malware targeting users, Banda said. This could let cyber criminals gain access to driver information and usage patterns as well as potentially enable control of core vehicle functions, such as locking/unlocking doors, presenting a risk of vehicle theft as well as a risk to driver safety.

“Cybercriminals are also likely to leverage phishing attacks posing to be from Nissan to deposit malware or obtain credentials,” Banda said. “Users should make sure they verify the sender information before responding to any messages.”

 

Laurence Pitt, global security strategy director at Juniper Networks, said that other auto makers have had data stolen via a Git server misconfiguration. Mercedes suffered the same embarrassment when a source-code breach for smart-car components leaked data in May 2020.

 

But where is the real value?

“The data is valuable in that buyers and downloaders of this data will use it to reverse-engineer code, look for weak-spots in web-portals and find ways to hack into consoles, either to gain competitive advantages or for darker, more damaging reasons,” Pitt said. “In both the Nissan and Mercedes cases, the data was left exposed on an unsecured internet-facing server – a simple Google dork search will find them. We need to remember that Google indexes anything it can see and validate, and so unencrypted, non-passworded data is fair game.”

 

Pitt said organizations handling source code need to take a proactive approach to their security to prevent this from happening. Consider the following as foundational security that should be checked, and run, continuously across any business:

• Protect private data areas using authentication, multi-factor-based systems, and IP restrictions.
• Encrypt data at rest and data in motion.
• Run regular Google dork queries back against systems just in case something shows up.
• If something shows up, ask Google to remove it with their search console.
• Make sure that sensitive data cannot be indexed using a robots.txt file (this will prevent Google, but not every search engine).

 

Source: Legal recourse? Nissan balances competitive and security fallout from source code leak