Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT Technology

Mercedes-Benz Onboard Logic Unit (OLU) Source Code Leaks Online (zdnet.com) 50

The source code for "smart car" components installed in Mercedez-Benz vans has been leaked online over the weekend, ZDNet has learned. From the report: The leak occurred after Till Kottmann, a Swiss-based software engineer, discovered a Git web portal belonging to Daimler AG, the German automotive company behind the Mercedes-Benz car brand. Kottmann told ZDNet that he was able to register an account on Daimler's code-hosting portal, and then download more than 580 Git repositories containing the source code of onboard logic units (OLUs) installed in Mercedez vans. According to the Daimler website, the OLU is a component that sits between the car's hardware and software, and "connects vehicles to the cloud." Daimler says the OLU "simplifies technical access and the management of live vehicle data" and allows third-party developers to create apps that retrieve data from Mercedes vans. These apps are usually employed for features such as tracking vans while on the road, tracking a van's internal status, or for freezing vans in case of theft.
This discussion has been archived. No new comments can be posted.

Mercedes-Benz Onboard Logic Unit (OLU) Source Code Leaks Online

Comments Filter:
  • by cayenne8 ( 626475 ) on Monday May 18, 2020 @01:05PM (#60074468) Homepage Journal

    OLU is a component that sits between the car's hardware and software, and "connects vehicles to the cloud."

    Ok, does anyone out there actually want their car connected to the "fucking cloud"?

    Are we not being tracked enough as it is?

    JFC.....

    • by MancunianMaskMan ( 701642 ) on Monday May 18, 2020 @01:15PM (#60074500)
      Yeah ok cringe, but now it's at least "Open source" (LOL).

      This is exactly the sort of stuff that _really_ should not be close-source.

    • " Ok, does anyone out there actually want their car connected to the "fucking cloud"?"

      Yes, I want my car to get alarms when accidents occurred somewhere on my route, especially during the night or fog, I want to get alarmed about the speed trap some people located a mile from where I am, I want to play MY music without having to put sticks into my car, I want it to know when I run last last corner from home so that the car opens the garage door, lights the driveway, starts the fucking coffee machine let's m

      • None of what you're describing should be talking to the *car*'s hardware. Talking to the car's hardware means adjusting the speed of the cruise control so you slow down to make sure that the coffee at home is done brewing when you arrive -- a feature that I really cannot imagine wanting.
        • adjusting the speed of the cruise control so you slow down to make sure that the coffee at home is done brewing when you arrive -- a feature that I really cannot imagine wanting.

          My wife would totally buy a car with this feature.

      • Yes, I want my car to...

        All the things you mentioned are better handled by the cellphone than the car, as the cellphone is inherently more flexible with more application options to do each of those things.

        No need to "play with your cellphone" if you have good car integration between your cellphone and car, I think honestly that is the best option, with the car potentially able to feed sensor data to specific applications on the phone.

        • by rattaroaz ( 1491445 ) on Monday May 18, 2020 @02:15PM (#60074714)
          When someone tells you they want to do something, the response shouldn't be that they shouldn't want to do it, and the alternative is better. That's your opinion, and it doesn't count greater than someone else. I have a Tesla, and it's super connected. Having those controls on a car is far better than a phone. It's not even close. But that is my opinion, and it isn't more important than yours.
          • by dfghjk ( 711126 )

            I don't know what it means to be "more important", but it sure is better informed. Furthermore, you're only talking about the user interface and it's clear that a UI tailored to the devices and environment is inherently superior so that's not even an interesting discussion.

            What's really sad is the total ignorance of the greater issue, being constrained to the power that's easily portable in the smallest devices when you are inside one of the largest devices you will generally use. It's mind-numbingly dum

            • That's awesome. I admonished someone to not put their opinion over others, and to accept others' opinion at face value. In response, you act like a self righteous douchebag. Classic irony!
        • by dfghjk ( 711126 )

          Sure, limit your computing power to what is coolable in a glass-enclosed device that weighs a few ounces and has a power budget measured in milliwatts. You're such a genius SuperKendall.

          And who has "good car integration"? It's been going on for years and it still blows. No doubt what every Tesla owner wants is that crappy Tesla software out of the way so they can mirror a subset of iOS apps on that 15" display. Great idea.

          • every Tesla owner wants is that crappy Tesla software out of the way so they can mirror a subset of iOS apps on that 15" display. Great idea.

            I realize you are being sarcastic, but this is already easy to do. A Tesla console contains an internet-connected 1920x1200 web browser. Just compile your app for Webasm, and you can run it on the console.

      • With this car you won't need the warning about the speed trap because your car will already have reported you or perhaps it flat out refuses to violate the speed limit it detects based on it's GPS location. It will also let your insurance company know that you drive too aggressively and are a high risk. They'll know what music you like and how you like your coffee from Starbucks, you stop there every day between 0730-0745 and pay for it with your MBNA Debit card and that you stop for several minutes on Mull
      • by ceoyoyo ( 59147 )

        I don't want my car to do that. My phone is a much more appropriate tool for that. The car should provide a USB port, touchscreen and microphone for docking and interacting with the removable and upgradable logic and communications unit. My car does this.

      • OTOH, you're likely going to be annoyed when some bored teenager in Mongolia succeeds in locking you and all other owners of your vehicle model out of your cars -- at least until the nearest dealer can motor out with a specialized tool and unbrick the thing. Might be bit of a service queue involved.

        Connectivity is not without risks.

        There's probably some optimum balance between connection and local autonomy. But I can't see much sign that car makers, and especially luxury vehicle makers are seeking that b

      • by dfghjk ( 711126 )

        None of those features require the "cloud" as it's commonly understood. They only require connectivity to information services.

    • These are commercial vans not consumer cars. And in the case of those, yes. The owners want to be able to verify the location, route taken, hours driven etc of a vehicle. There are a lot of regulations in place on commercial vehicles so tracking these kinds of things for compliance purposes is important.

      • there has been tech for that fleet management system for decades and already in use. No reason to have your vehicle's safety and engine operating software hooked to the internet, that could be extremely dangerous.

        • by DRJlaw ( 946416 )

          there has been tech for that fleet management system for decades and already in use. No reason to have your vehicle's safety and engine operating software hooked to the internet, that could be extremely dangerous.

          Real time monitoring of fleet maintenance.requirements is at least one reason.

          • fleet management systems have option for plugging into OBD, which doesn't endanger vehicle

            • fleet management systems have option for plugging into OBD, which doesn't endanger vehicle

              LOL.. As if the ODB port doesn't include the CAN buss that pretty much allows you to do anything to the vehicle that the service department at the dealer can. The only thing with the ODB port is that it *requires* specific access to the emissions controls status in publicly known ways. The rest of the vehicle is usually just an encryption key away on the CAN bus. If you have the keys and know the addresses of stuff, you can do all sorts of things including flashing firmware and configuration parameters, r

              • Don't LOL just yet, you're not thinking things through: the reader the fleet management system has can't do those things any more than my ODB-II meter could.

                • You don't know that. You can't know that. Not without independent verification by a third party of the codebase.

                  • Oh, you're saying while I have my ODB-II meter or fleet management reader plugged into my car or a truck you can get on the internet and hack the situation, and put malicious code into the vehicle?

                    No you can't, impossible. Don't be retard, nothing is internet connected. You'd need to flash prom of gear.

                • by DRJlaw ( 946416 )

                  Don't LOL just yet, you're not thinking things through: the reader the fleet management system has can't do those things any more than my ODB-II meter could.

                  Which is why fleet managers want a more capable system available through the OLU.

                  You're not the customer. Your requirements and concerns are not a fleet manager's requirements and concerns. Get over yourself.

                  • I worked with fleet management systems of county and major city in my last job. You are the one spewing in ignorance about a subject you know nothing about. It's a mature field, and the topic of this thread is the danger of hooking vehicle systems to internet, already in Mercedes case they're the poster child of getting hacked with videos by white hat hackers

                    • by DRJlaw ( 946416 )

                      I worked with fleet management systems of county and major city in my last job.

                      Sure you did.

                      You are the one spewing in ignorance about a subject you know nothing about.

                      I'm not engaging in a pissing match with someone who doesn't even understand the difference between ODB-II and SAE J1939/FMS 3.0.

                      topic of this thread is the danger of hooking vehicle systems to internet

                      The topic of this "thread" was set by the post that you responded to first: "The owners want to be able to verify the location, route taken,

    • Yes, fleets. Customers that own 10k vans want to keep track and maintenance on all of them.

      The reason the "F150 is the best selling truck in america" is because of fleets.

    • I do like a lot of features that a proper cloud connection can give.

      Maps that Update, and show Live Traffic, and Detours.

      Being able to remotely set the temperature so I can go into a Cool car in the summer or a Warm car in the winter, with a lot of the snow melted off.

      Being able to lock the doors if I forgot to lock them. Know if my car is being stolen, and be able to stop it if it was.

      Cloud isn't necessarily bad, However a lot of companies use it for stuff that really isn't that necessary.

    • by AmiMoJo ( 196126 )

      Yes. Live traffic and charger availability are very handy. Remote monitoring is nice as well.

      This is like asking why you want a web browser. Who in their right mind would download arbitrary unknown documents and media from the cloud direct to their GPU??

      We want it, we also want it to be secure.

    • Some people do, sadly. It was just recently that I heard people talking about a killswitch being an essential anti-theft option, and anything that dissuades crooks from stealing is a good thing.

      Naturally, I argued that crooks usually have ways to get around the security measures because the software quality sucks (as is the case with almost all IoT devices), and legal paying customers are the only ones who get locked out of their devices. But, yeah... deaf ears and all that.

    • by tlhIngan ( 30335 )

      Then you're not a customer. Those who do want it, are the customers who buy a Mercedes.

      They want their car to schedule an appointment with the dealer for service - so either they just leave the car where it is and the dealer will pick it up (without needing a key - because the dealer can unlock it remotely) or they drive it to the dealer, lock it up and it magically all arranges itself so you don't have to deal with anyone.

      Or if the car needs special service because something odd crops up, their mechanics c

    • by ebvwfbw ( 864834 )

      Don't worry. It has a super secret password defined in a string. Nobody would guess it - Password="MBPassword1"
      There's a comment in GIT, needs to be 20xx compliant
      Password="MBPa$$word1"

    • "OLU is a component that sits between the car's hardware and software, and "connects vehicles to the cloud."

      Do. Not. Want.

      I see a rather profitable cottage industry popping up that involves removing/bypassing this shit.

      People laugh whenever somebody mentions "New World Order", and they risk being labeled a cammo wearing kook who loves to play GI-Joe in the woods with a rusty AK-47, or a religious fanatic who is fawning about some anti-christ.

      The New World Order is real, and there is nothing supernat

  • Now the non dealer shop can repair them

  • We may now find out if they are doing security properly - no back doors or embedded credentials in the client code. Ideally if the software is properly written, exposure of the code would not be a security risk - at least to the back end or "cloud" side of the system.
  • by mamba-mamba ( 445365 ) on Monday May 18, 2020 @01:40PM (#60074572)

    Sweet. Now it is open source. Now if they put it under BSD or GPL license it will be free software.

    • Sweet. Now it is open source. Now if they put it under BSD or GPL license it will be free software.

      Your tongue is firmly in your cheek I hope.

      Like it or not, marked or not, this source code is still owned by the company (as in they hold the copyright). Just because you got your hands on a copy of it, doesn't mean you can slap any license you like onto it and it's suddenly free. Surely you didn't mean that?

      I'm just going to guess that if anybody posts copies of this stuff, immediate DCMA takedowns will be the result.

      • Just trying to make a little dig at open-source as opposed to free software. Definitely tongue in cheek. If there were actually interest in distributing the source code, I don't think the DMCA would be able to stop it in this day and age. But I doubt there will be that much interest.

      • Does it really matter at this point? How many McBZ owners even know how to go through the source, remove all of the bad tracking bits, recompile the source, and reflash the firmware in this module?

        Not to mention that will violate the lease or warranty.

        And does this source use closed libraries tjat cannot easily be replaced?

        Most if not all McBz owners are just going to take it up the butt and get tracked and abused throughout their lease. And the companies will continue to be more invasive and abusive.

  • Comment removed based on user account deletion
    • "$100k lexus bluetooth for free.. and said.. thanks. my lexus dealer would have had my car all day and you computer geek types are cheap and easy... foot. ass. door."

        I would've left a little 'surprise' for that bitch. Really, I would.

  • by Ken_g6 ( 775014 ) on Monday May 18, 2020 @02:20PM (#60074734)

    ... OLU base are belong to us?

  • OTA updates are good. Less need to visit the dealer. Updated maps, news, weather, and entertainment info too. Concierge services are nice.

    However, these systems give the possibility of a remotely controlled death machine. It's conceivable that somebody will figure out a hack of Teslas, distribute them, and then during rush hour one day, send them all full speed ahead with brakes disabled through the ABS system. They could even use GPS and the built-in cameras and logic software to choose targets for as

    • by green1 ( 322787 )

      Correction, OTA updates could potentially be good. They aren't by definition good, that depends on the company using them. For example. one of the only automakers using them is Tesla. The vast majority of Tesla OTAs remove functionality, or make existing interfaces worse, not better. Some previous examples:
      - reduce how much the car suspension lowers in its lowest mode
      - replace large power/speed meter in centre of dash with static image of car on non-autopilot equipped vehicles, move power meter to its own s

      • A lot of the downgrades you speak of are because of problems caused by the software. For instance, going to low causing suspension failure. You might not like them, but they're almost all good for the car. Good for Tesla, at least.

        As for control, the entire system is updatable over the air. That means anything is potentially fair game. This includes the braking system, equipped with abs, which can stop brakes from working effectively or lock the brakes.

        Get a Jaguar I-Pace. It has OTA updates, but you c

  • The Telegram screenshot shows a mega: URL, but it's censored. Having just bought one of these cars, I would very much like to get my hands on the OLU code.
    • You just bought a Mercedes commercial van? What business are you in?

      • What makes you think Mercedes-Benz uses unique code for each vehicle model, especially for a single module that provides "cloud" connectivity which is a feature in most of their high end cars.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...