Data has tremendous value to any manufacturer, especially within today’s increasingly digital economy. As such, manufacturers need to be proactive in always protecting access to data.
Unfortunately, Nissan North America recently suffered a data leak when source code for its mobile apps and internal tools surfaced online after the company presumably misconfigured one of its Git servers. Tillie Kottmann, a Swiss-based software engineer, who learned of the leak from an anonymous source and analyzed the Nissan data on Monday, said the Git repository contained the source code of:
- Nissan NA Mobile apps
- Some parts of the Nissan ASIST diagnostics tool
- The Dealer Business Systems / Dealer Portal
- Nissan internal core mobile library
- Nissan/Infiniti NCAR/ICAR services
- Client acquisition and retention tools
- Sale / market research tools and data
- Various marketing tools
- Vehicle logistics portal
- Vehicle connected services
“Nissan is not the first vehicle manufacturer to have data stolen via misconfiguration in Gitlab. Mercedes suffered the same embarrassment when source-code breach for ‘smart car’ components leaked data in May 2020. It could immediately appear that these are not severe leaks; after all, it’s proprietary data that is only useful with the specific brand and partners,” says Laurence Pitt, global security strategy director at Juniper Networks in an emailed statement. “However, the data is valuable - buyers and downloaders of this data will use it to reverse-engineer code, look for weak-spots in web-portals and find ways to hack into consoles; either to gain competitive advantages or for darker, more damaging reasons.”
In both cases, the data was left exposed on an unsecured internet-facing server - a simple Google dork search, which people may run continuously, will find them, explains Pitt. “We need to remember that Google indexes anything it can see and validate, and so unencrypted, non-passworded data is fair game,” he says. “Organizations need to take a proactive approach to their security to prevent this from happening. Start thinking the same way as the person looking to steal this information and remember that if you can see without logging in, then so can anyone.”
According to Pitt, manufacturers need to consider the following as foundational security that should be checked and run continuously:
· Protect, and test protection, for private data areas using authentication, multi-factor-based systems, and IP restrictions.
· Encrypt data at rest, and data in motion.
· Why not run regular Google dork queries back against systems just in case something shows up?
· If something shows up, ask Google to remove it with their search console
· Make sure that sensitive data cannot be indexed using a robots.txt file (this will prevent Google, but not every search engine)
“Getting these basics in place may not stop advanced threat techniques, but it will keep most hackers at bay,” says Pitt.
In an emailed statement, Nissan's director of corporate communications, Ashli Bobo, tells IndustryWeek Nissan conducted an immediate investigation regarding improper access to proprietary company source code. "We take this matter seriously and are confident that no personal data from consumers, dealers or employees was accessible with this security incident," she says. "The affected system has been secured, and we are confident that there is no information in the exposed source code that would put consumers or their vehicles at risk."
