Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Researchers Find Exploitable Bugs in Mercedes-Benz Cars

Following an eight-month audit of the code in the latest infotainment system in Mercedes-Benz cars, security researchers with Tencent Security Keen Lab identified five vulnerabilities, four of which could be exploited for remote code execution.

Following an eight-month audit of the code in the latest infotainment system in Mercedes-Benz cars, security researchers with Tencent Security Keen Lab identified five vulnerabilities, four of which could be exploited for remote code execution.

The vulnerabilities were found in the Mercedes-Benz User Experience (MBUX), the infotainment system initially introduced on A-class vehicles in 2018, but has since been adopted on the car maker’s entire vehicle line-up.

The vulnerabilities, tracked as CVE-2021-23906, CVE-2021-23907, CVE-2021-23908, CVE-2021-23909, and CVE-2021-23910, provides hackers with remote control of some of the car’s functions, but not with access to physical features, such as steering or braking systems.

In addition to targeting the main infotainment head unit, the security researchers also analyzed Mercedes-Benz’s T-Box, successfully exploited some of the identified attack scenarios, and even combined some of them to compromise the head unit even in real-world vehicles.


The Keen Team researchers discovered the use of an outdated Linux kernel that was susceptible to specific attacks, exposure via the included browser’s JavaScript engine, and potential exposure to flaws in the Wi-Fi chip, Bluetooth stack, USB functions, or included third-party apps that communicate with remote servers.


Analysis of the head unit revealed a series of heap overflow vulnerabilities, including two that could lead to memory leaks and code execution; the possibility to set up remote shell using a vulnerability in the provided browser; the lack of SELinux or AppArmor that allowed for the abuse of a Linux kernel bug for privilege escalation; and several additional issues.


Following the initial compromise, which involved setting up a persistent web shell with root privileges, the researchers were able to unlock specific car functions and the vehicle’s anti-theft protection, inject a persistent backdoor, and even perform vehicle control actions.


By sending specific CAN messages, the researchers were able to control the ambient light in the vehicle, control the reading lights, open the sunshade cover and control the back-seat passenger lights, but were not able to take control of the vehicle.


Attack scenarios involving the T-Box would exploit the included Wi-Fi chip; the STA8090 chip that works as a receiver IC; the CAN bus; or the LTE connection (via Huawei’s balong baseband). However, security controls that Mercedes-Benz implemented prevented attacks from baseband or LTE’s downgrade to GSM (to hijacking vehicle control commands).


During their analysis, the researchers discovered two issues in the T-Box that could be abused in attacks. One could be exploited for code execution on the chip that receives messages from the CPU, converts them and sends them to the CAN bus. Thus, they were able to send arbitrary CAN messages to the CAN bus. They were also able to flash the firmware on the chip with a patched version, for persistence.


In their report, the researchers describe both successful and unsuccessful attack attempts, while also providing extensive technical details of the hardware and software they tested.


The identified vulnerabilities were reported to the vendor (Daimler, which owns Mercedes-Benz) in November 2020. Patches started rolling out in late January 2021.


“We highly appreciate the expertise of Tencent Security Keen Lab. In addition to their profound know-how I would like to thank the Keen Lab team for the productive collaboration which we would like to continue in future,” Adi Ofek, CEO of Mercedes-Benz Tel Aviv and holding the mandate for car IT security at Mercedes-Benz, said.


Related: Cars Exposed to Attacks by Hardcoded Credentials in MyCar Apps

Related: Vulnerabilities Expose Lexus, Toyota Cars to Hacker Attacks

Related: Securing Autonomous Vehicles Paves the Way for Smart Cities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...