Following an eight-month audit of the code in the latest infotainment system in Mercedes-Benz cars, security researchers with Tencent Security Keen Lab identified five vulnerabilities, four of which could be exploited for remote code execution.
The vulnerabilities were found in the Mercedes-Benz User Experience (MBUX), the infotainment system initially introduced on A-class vehicles in 2018, but has since been adopted on the car maker’s entire vehicle line-up.
The vulnerabilities, tracked as CVE-2021-23906, CVE-2021-23907, CVE-2021-23908, CVE-2021-23909, and CVE-2021-23910, provides hackers with remote control of some of the car’s functions, but not with access to physical features, such as steering or braking systems.
In addition to targeting the main infotainment head unit, the security researchers also analyzed Mercedes-Benz’s T-Box, successfully exploited some of the identified attack scenarios, and even combined some of them to compromise the head unit even in real-world vehicles.
The Keen Team researchers discovered the use of an outdated Linux kernel that was susceptible to specific attacks, exposure via the included browser’s JavaScript engine, and potential exposure to flaws in the Wi-Fi chip, Bluetooth stack, USB functions, or included third-party apps that communicate with remote servers.
Analysis of the head unit revealed a series of heap overflow vulnerabilities, including two that could lead to memory leaks and code execution; the possibility to set up remote shell using a vulnerability in the provided browser; the lack of SELinux or AppArmor that allowed for the abuse of a Linux kernel bug for privilege escalation; and several additional issues.
Following the initial compromise, which involved setting up a persistent web shell with root privileges, the researchers were able to unlock specific car functions and the vehicle’s anti-theft protection, inject a persistent backdoor, and even perform vehicle control actions.
By sending specific CAN messages, the researchers were able to control the ambient light in the vehicle, control the reading lights, open the sunshade cover and control the back-seat passenger lights, but were not able to take control of the vehicle.
Attack scenarios involving the T-Box would exploit the included Wi-Fi chip; the STA8090 chip that works as a receiver IC; the CAN bus; or the LTE connection (via Huawei’s balong baseband). However, security controls that Mercedes-Benz implemented prevented attacks from baseband or LTE’s downgrade to GSM (to hijacking vehicle control commands).
During their analysis, the researchers discovered two issues in the T-Box that could be abused in attacks. One could be exploited for code execution on the chip that receives messages from the CPU, converts them and sends them to the CAN bus. Thus, they were able to send arbitrary CAN messages to the CAN bus. They were also able to flash the firmware on the chip with a patched version, for persistence.
In their report, the researchers describe both successful and unsuccessful attack attempts, while also providing extensive technical details of the hardware and software they tested.
The identified vulnerabilities were reported to the vendor (Daimler, which owns Mercedes-Benz) in November 2020. Patches started rolling out in late January 2021.
“We highly appreciate the expertise of Tencent Security Keen Lab. In addition to their profound know-how I would like to thank the Keen Lab team for the productive collaboration which we would like to continue in future,” Adi Ofek, CEO of Mercedes-Benz Tel Aviv and holding the mandate for car IT security at Mercedes-Benz, said.
Related: Cars Exposed to Attacks by Hardcoded Credentials in MyCar Apps
Related: Vulnerabilities Expose Lexus, Toyota Cars to Hacker Attacks
Related: Securing Autonomous Vehicles Paves the Way for Smart Cities