Remotely hack a Mercedes-Benz E-Class is possible, experts demonstrated

Chinese researchers discovered tens of vulnerabilities in a Mercedes-Benz E-Class, including issues that can be exploited to remotely hack it.

A team of Chinese experts from Sky-Go, the Qihoo 360 division focused on car hacking, discovered 19 vulnerabilities in a Mercedes-Benz E-Class, including some issues that can be exploited by attackers to remotely hack a vehicle.

The experts analyzed a Mercedes E-Class model because it is a connected car with a powerful infotainment system with a rich set of functionalities.

The research began in 2018 and in August 2019, the experts reported their findings to Daimler, which owns the Mercedes-Benz. In December 2019, the carmaker announced a partnership with the 360 Group to strengthen car IT security for the industry.

“In 2018, we begin research on Mercedes-Benz, since it is one of the most famous car brands in the world and an industry benchmark in the automotive industry. We analyze the security of Mercedes-Benz cars. There are so many models from Mercedes-Benz, and we finally chose the research target on Mercedes-Benz E-Class, since the E-Class’s in-vehicle infotainment system has the most connectivity functionalities of all.” reads the research paper.

Last week, during the Black Hat cybersecurity conference, representatives of Sky-Go and Daimler disclosed the findings of their research. The experts avoided to publicly disclose technical details of the issues to prevent malicious exploitation in the wild.

The team of experts was able to exploit the flaws to remotely unlock the car’s doors and start the engine of a Mercedes-Benz E-Class. According to the experts, the flaw could have affected 2 million vehicles only in China.

The experts initially collected relevant information from the target devices, such as network topology, pin definitions, chip model, and enable signals in the car. Then disassembled the center panel in the car to analyze the wiring connections between the Electronic Control Units (ECUs).

The analysis of the file system of the vehicle’s Telematics Control Unit (TCU), to which they gained access by obtaining an interactive shell with root privileges, they uncovered passwords and certificates for the backend server.

“If we have to debug the TCU client programs dynamically, we need to tamper the filesystem to get an interactive shell with ROOT privileges.” continues the research.

The researchers were also able to gain access to backend servers by analyzing the vehicle’s embedded SIM (eSIM) card used for the external connectivity.

“Car Backend is the core of Connected Cars. As long as Car Backends’ services can be accessed externally, it means that car backend is at risk of being attacked. The vehicles connecting to this Car Backend are in danger, too. So, our next step is to try to access Car Backend.” continues the research. “For accessing the APN networks of backend, one possibility would be using the e-sim of car-parts since the sim account wouldn’t log out automatically. After tearing down this eSIM, we put it into the 4G router.”

Experts noticed the lack of authentication between the backend servers and the “Mercedes me” mobile app, which allows users to remotely control multiple functions of the car. The researchers explained that once they got access to the backend, they could control any car in China.

The experts said that they did not manage to hack any critical safety functions of the tested vehicles.

“During the research and joint workshop, we see so many security designs in Mercedes-Benz Connected Cars and these designs are protecting the cars from various attacks.” the paper concluded. “The capability of a car company to work jointly with researchers contributes to the overall security of our cars.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Mercedes)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.