Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Researchers Find Exploitable Bugs in Mercedes-Benz Cars

Following an eight-month audit of the code in the latest infotainment system in Mercedes-Benz cars, security researchers with Tencent Security Keen Lab identified five vulnerabilities, four of which could be exploited for remote code execution.

Following an eight-month audit of the code in the latest infotainment system in Mercedes-Benz cars, security researchers with Tencent Security Keen Lab identified five vulnerabilities, four of which could be exploited for remote code execution.

The vulnerabilities were found in the Mercedes-Benz User Experience (MBUX), the infotainment system initially introduced on A-class vehicles in 2018, but has since been adopted on the car maker’s entire vehicle line-up.

The vulnerabilities, tracked as CVE-2021-23906, CVE-2021-23907, CVE-2021-23908, CVE-2021-23909, and CVE-2021-23910, provides hackers with remote control of some of the car’s functions, but not with access to physical features, such as steering or braking systems.

In addition to targeting the main infotainment head unit, the security researchers also analyzed Mercedes-Benz’s T-Box, successfully exploited some of the identified attack scenarios, and even combined some of them to compromise the head unit even in real-world vehicles.


The Keen Team researchers discovered the use of an outdated Linux kernel that was susceptible to specific attacks, exposure via the included browser’s JavaScript engine, and potential exposure to flaws in the Wi-Fi chip, Bluetooth stack, USB functions, or included third-party apps that communicate with remote servers.


Analysis of the head unit revealed a series of heap overflow vulnerabilities, including two that could lead to memory leaks and code execution; the possibility to set up remote shell using a vulnerability in the provided browser; the lack of SELinux or AppArmor that allowed for the abuse of a Linux kernel bug for privilege escalation; and several additional issues.

Advertisement. Scroll to continue reading.


Following the initial compromise, which involved setting up a persistent web shell with root privileges, the researchers were able to unlock specific car functions and the vehicle’s anti-theft protection, inject a persistent backdoor, and even perform vehicle control actions.


By sending specific CAN messages, the researchers were able to control the ambient light in the vehicle, control the reading lights, open the sunshade cover and control the back-seat passenger lights, but were not able to take control of the vehicle.


Attack scenarios involving the T-Box would exploit the included Wi-Fi chip; the STA8090 chip that works as a receiver IC; the CAN bus; or the LTE connection (via Huawei’s balong baseband). However, security controls that Mercedes-Benz implemented prevented attacks from baseband or LTE’s downgrade to GSM (to hijacking vehicle control commands).


During their analysis, the researchers discovered two issues in the T-Box that could be abused in attacks. One could be exploited for code execution on the chip that receives messages from the CPU, converts them and sends them to the CAN bus. Thus, they were able to send arbitrary CAN messages to the CAN bus. They were also able to flash the firmware on the chip with a patched version, for persistence.


In their report, the researchers describe both successful and unsuccessful attack attempts, while also providing extensive technical details of the hardware and software they tested.


The identified vulnerabilities were reported to the vendor (Daimler, which owns Mercedes-Benz) in November 2020. Patches started rolling out in late January 2021.


“We highly appreciate the expertise of Tencent Security Keen Lab. In addition to their profound know-how I would like to thank the Keen Lab team for the productive collaboration which we would like to continue in future,” Adi Ofek, CEO of Mercedes-Benz Tel Aviv and holding the mandate for car IT security at Mercedes-Benz, said.


Related: Cars Exposed to Attacks by Hardcoded Credentials in MyCar Apps

Related: Vulnerabilities Expose Lexus, Toyota Cars to Hacker Attacks

Related: Securing Autonomous Vehicles Paves the Way for Smart Cities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...