Connect with us

Hi, what are you looking for?


Application Security

Researchers Find Exploitable Bugs in Mercedes-Benz Cars

Following an eight-month audit of the code in the latest infotainment system in Mercedes-Benz cars, security researchers with Tencent Security Keen Lab identified five vulnerabilities, four of which could be exploited for remote code execution.

Following an eight-month audit of the code in the latest infotainment system in Mercedes-Benz cars, security researchers with Tencent Security Keen Lab identified five vulnerabilities, four of which could be exploited for remote code execution.

The vulnerabilities were found in the Mercedes-Benz User Experience (MBUX), the infotainment system initially introduced on A-class vehicles in 2018, but has since been adopted on the car maker’s entire vehicle line-up.

The vulnerabilities, tracked as CVE-2021-23906, CVE-2021-23907, CVE-2021-23908, CVE-2021-23909, and CVE-2021-23910, provides hackers with remote control of some of the car’s functions, but not with access to physical features, such as steering or braking systems.

In addition to targeting the main infotainment head unit, the security researchers also analyzed Mercedes-Benz’s T-Box, successfully exploited some of the identified attack scenarios, and even combined some of them to compromise the head unit even in real-world vehicles.

The Keen Team researchers discovered the use of an outdated Linux kernel that was susceptible to specific attacks, exposure via the included browser’s JavaScript engine, and potential exposure to flaws in the Wi-Fi chip, Bluetooth stack, USB functions, or included third-party apps that communicate with remote servers.

Advertisement. Scroll to continue reading.

Analysis of the head unit revealed a series of heap overflow vulnerabilities, including two that could lead to memory leaks and code execution; the possibility to set up remote shell using a vulnerability in the provided browser; the lack of SELinux or AppArmor that allowed for the abuse of a Linux kernel bug for privilege escalation; and several additional issues.

Following the initial compromise, which involved setting up a persistent web shell with root privileges, the researchers were able to unlock specific car functions and the vehicle’s anti-theft protection, inject a persistent backdoor, and even perform vehicle control actions.

By sending specific CAN messages, the researchers were able to control the ambient light in the vehicle, control the reading lights, open the sunshade cover and control the back-seat passenger lights, but were not able to take control of the vehicle.

Attack scenarios involving the T-Box would exploit the included Wi-Fi chip; the STA8090 chip that works as a receiver IC; the CAN bus; or the LTE connection (via Huawei’s balong baseband). However, security controls that Mercedes-Benz implemented prevented attacks from baseband or LTE’s downgrade to GSM (to hijacking vehicle control commands).

During their analysis, the researchers discovered two issues in the T-Box that could be abused in attacks. One could be exploited for code execution on the chip that receives messages from the CPU, converts them and sends them to the CAN bus. Thus, they were able to send arbitrary CAN messages to the CAN bus. They were also able to flash the firmware on the chip with a patched version, for persistence.

In their report, the researchers describe both successful and unsuccessful attack attempts, while also providing extensive technical details of the hardware and software they tested.

The identified vulnerabilities were reported to the vendor (Daimler, which owns Mercedes-Benz) in November 2020. Patches started rolling out in late January 2021.

“We highly appreciate the expertise of Tencent Security Keen Lab. In addition to their profound know-how I would like to thank the Keen Lab team for the productive collaboration which we would like to continue in future,” Adi Ofek, CEO of Mercedes-Benz Tel Aviv and holding the mandate for car IT security at Mercedes-Benz, said.

Related: Cars Exposed to Attacks by Hardcoded Credentials in MyCar Apps

Related: Vulnerabilities Expose Lexus, Toyota Cars to Hacker Attacks

Related: Securing Autonomous Vehicles Paves the Way for Smart Cities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.