News that source code of Nissan North America tools leaked online because of a misconfigured Git server spurs questions not only about potential cyberattacks by bad actors, but also whether competitors could use the sensitive data against the automobile giant.
Nissan offerings associated with the leaked source code ran the gamut from Nissan North America mobile apps and Nissan’s internal core mobile library to some parts of the Nissan ASIST diagnostic tool and sales and marketing research tools and data. The Git server has since been taken offline, after data began to get shared on Telegram and hacking forums.
Based on discussions with intellectual property lawyers, Nissan may have some recourse in terms of filing injunctions and suing for damages under copyright, trade secrets and patent laws. To do so, the auto maker will have to expend a great deal of resources to track violators down and bring them to court. This assumes that the violators are in the United States and the company could take action under U.S. law.
Thomas Moga, a senior counsel and intellectual property attorney at Dykema, which has many automotive clients, said that according to the U.S. Copyright Office, laws protect original works of authorship “fixed in a tangible medium of expression.” Moga added that under that definition, source code can qualify for protection under the copyright laws.
“So it appears that Nissan owns a copyright in the source code and that it may well be in a position to bring an action against unauthorized users of its source code,” Moga said. “But it’s up to Nissan to pursue those actions; I think we can expect them to be very aggressive, as they should be.”
Jennifer DeTrani, general counsel and executive vice president of Nisos, added that Nissan could potentially file lawsuits as part of a legal strategy to repair the reputational damage from the leak, showing the public they are serious about protecting their vehicles. But legal remedies would not yield much.
“Collecting damages under copyright law assumes that there’s somebody with deep pockets to sue who would pay,” DeTrani said. “Any competent lawyer could get the case thrown out by pointing out to the court that the company did not adequately protect those secrets,” considering that the company kept the default username and password of admin/admin. And “while patented, and therefore protectable material may exist within the code library, they would have to prove that a competitor infringed on their patent to use this approach.”
DeTrani added that it’s mostly on Nissan to close the gaping hole in their security posture, rewrite and start over. She said once source code has been openly shared, that typically leaves a company with very few options. Nissan could also pursue lawsuits with the platforms where the code gets shared and try to get it taken down, but that won’t be very successful, said DeTrani.
“The platform companies are often served with notices that they are violating proprietary rights,” DeTrani said. “It becomes very hard to adjudicate those rights within platforms even though terms and conditions may technically protect a rights holder.” If Nissan, for example, asserted that their copyright is being infringed, many copyrights are unregistered and a platform would require a court order to get involved. Even then, platform companies are inundated with requests. Maybe more noteworthy, DeTrani said, “the harm is already done, because the code has been pulled down into private libraries that hackers maintain separately from the platforms in which the code may initially appear.”
The view from the security pros
News of the breach went public when Tillie Kottmann, the Swiss-based software engineer who learned of the leak from an anonymous source, shared her analysis with ZDNet, which reported that Nissan confirmed it had conducted an investigation regarding improper access to proprietary company source code.
Nissan said that it takes the matter seriously and they are confident that no personal data from consumers, dealers or employees was accessible in this security incident. The auto maker said the affected system has been secured and they are “confident that there’s no information in the exposed source code that would put consumers or their vehicles at risk.”
Justin Zeefe, co-founder and president of Nisos, said he was less concerned about one of Nissan’s competitors getting ahold of the source code compared with potential damage from a malicious hacker.
“I think there will be people who look for ways to monetize this breach,” Zeefe said. “A malicious hacker who wants to demonstrate their capacity could potentially find within the code a way to manipulate the software to cause physical damage to the car and potentially the occupants. I can’t speak to the specific plausibility in this case, but as physical and digital continue to merge, loss of intellectual property can do more than damage reputation.”
Stephen Banda, senior manager, security solutions at Lookout, said while security teams should always prioritize preventing unauthorized system access and data leakage, it becomes especially important when leaked data can jeopardize customer privacy as well as physical safety.
“Today, anyone with a newer vehicle may be using a mobile app to perform a number of functions, such as starting the engine, locking/unlocking doors, setting a daily remote start schedule, or storing trip history,” Banda said. “However, as shown by the Nissan data leak, any time we use mobile apps in general, we need to understand the potential risk tradeoff we make for the convenience that these apps offer.”
By leaking source code to its mobile vehicle app as well as its internal core mobile library, Nissan has provided hackers with a roadmap for developing malicious apps and malware targeting users, Banda said. This could let cyber criminals gain access to driver information and usage patterns as well as potentially enable control of core vehicle functions, such as locking/unlocking doors, presenting a risk of vehicle theft as well as a risk to driver safety.
“Cybercriminals are also likely to leverage phishing attacks posing to be from Nissan to deposit malware or obtain credentials,” Banda said. “Users should make sure they verify the sender information before responding to any messages.”
Laurence Pitt, global security strategy director at Juniper Networks, said that other auto makers have had data stolen via a Git server misconfiguration. Mercedes suffered the same embarrassment when a source-code breach for smart-car components leaked data in May 2020.
But where is the real value?
“The data is valuable in that buyers and downloaders of this data will use it to reverse-engineer code, look for weak-spots in web-portals and find ways to hack into consoles, either to gain competitive advantages or for darker, more damaging reasons,” Pitt said. “In both the Nissan and Mercedes cases, the data was left exposed on an unsecured internet-facing server – a simple Google dork search will find them. We need to remember that Google indexes anything it can see and validate, and so unencrypted, non-passworded data is fair game.”
Pitt said organizations handling source code need to take a proactive approach to their security to prevent this from happening. Consider the following as foundational security that should be checked, and run, continuously across any business:
- Protect private data areas using authentication, multi-factor-based systems, and IP restrictions.
- Encrypt data at rest and data in motion.
- Run regular Google dork queries back against systems just in case something shows up.
- If something shows up, ask Google to remove it with their search console.
- Make sure that sensitive data cannot be indexed using a robots.txt file (this will prevent Google, but not every search engine).