Kaspersky has disclosed the details of over a dozen vulnerabilities discovered in a Mercedes-Benz infotainment system, but the carmaker has assured customers that the security holes have been patched and they are not easy to exploit.
Kaspersky’s research of the Mercedes-Benz head unit, called Mercedes-Benz User Experience (MBUX), built on previous research conducted by a Chinese team that disclosed its findings in 2021.
The Russian cybersecurity firm published a blog post describing its findings on Friday, when it also started releasing advisories for each of the identified vulnerabilities. The research targeted the first generation MBUX.
Several of the flaws can be exploited for DoS attacks, while others can be leveraged to obtain data, for command injection, and to escalate privileges.
According to Kaspersky, it has demonstrated that an attacker who has physical access to the targeted vehicle can exploit some of the vulnerabilities to disable anti-theft protections in the head unit, perform tuning on the vehicle, and unlock paid services. The attacks were conducted using USB or custom UPC connections.
The vulnerabilities have been assigned 2023 and 2024 CVE identifiers, but Mercedes-Benz told SecurityWeek that it has been aware of Kaspersky’s findings since 2022.
“In August 2022, a team of external security researchers contacted us regarding the first generation MBUX – Mercedes-Benz User Experience,” a Mercedes-Benz spokesperson said in an emailed statement.
“The topic described by the researchers requires physical access to the vehicle on site as well as access to the interior of the vehicle. In addition, the head unit has to be removed and opened. Newer versions of the infotainment system are not affected,” the spokesperson added.
Mercedes-Benz says the security of its products and services has ‘high priority’ and urged researchers to report findings through its vulnerability disclosure program.
In the past, researchers disclosed vulnerabilities which they claimed could be exploited to remotely hack Mercedes-Benz cars.
Other past cybersecurity findings impacted the carmaker’s IT infrastructure. One year ago, researchers reported that a GitHub token leaked by a Mercedes-Benz employee provided access to all the source code stored on the company’s GitHub Enterprise server.
Related: Unpatched Vulnerabilities Allow Hacking of Mazda Cars
Related: Mercedes-Benz USA Says Vendor Exposed Customer Information
Related: Millions of Kia Cars Were Vulnerable to Remote Hacking
