Hacking the infotainment system used in Mercedes-Benz cars

Pierluigi Paganini May 19, 2021

Security researchers identified five vulnerabilities in the infotainment system in Mercedes-Benz cars, four of them are remotely exploitable.

Security researchers with Tencent Security Keen Lab identified five vulnerabilities, tracked as CVE-2021-23906, CVE-2021-23907, CVE-2021-23908, CVE-2021-23909, and CVE-2021-23910, in the latest infotainment system in Mercedes-Benz cars.

The experts focused their analysis on the Mercedes-Benz User Experience (MBUX) infotainment system, which was first presented by the carmaker in 2018.

Four vulnerabilities could be exploited by attackers remotely control some functions of the vehicle, fortunately, none could be used to control physical features of the cars.

The Keen Team researchers discovered that the tested systems were running an outdated Linux kernel version that is affected by vulnerabilities that could be exploited to carry out specific attacks.

The researchers explored multiple attack scenarios that could leverage the browser’s JavaScript engine, Wi-Fi chip, Bluetooth stack, USB functions, or third-party apps in their head unit.

The researchers demonstrated that an attacker could set up a web shell with root privileges and use other issues, like heap overflow bugs, to interfere with specific car functions.

The experts were able to bypass the vehicle’s anti-theft protection even perform vehicle control actions.

By manipulating and injecting TCP packets throgh the CAN bus, the researchers were able to perform multiple actions such as open/close ambient light in the vehicle, control the reading lights, open the sunshade cover, and control the back-seat passenger lights.

“To verify our thought, we captured all the TCP packets sent to RH850 while performing vehicle control actions. Finally, we got the TCP packets from a TCP connection sent by process k2lacsdaemon. Injecting code into process k2lacsdaemon and replaying these packets can trigger the specified vehicle control actions.” reads the report published by the experts. “The vehicle control actions we successfully triggered and the TCP packets are shown in Table 6.1.”

  • open ambient light
  • close ambient light
  • open driver reading light
  • close driver reading light
  • open passenger reading light
  • close passenger reading light
  • open sunshade cover
  • open back-seat passenger light
  • close back-seat passenger light

Experts also devised attack scenarios against the T-Box that leveraged the embedded Wi-Fi chip, the STA8090 chip, the CAN bus, or the implementation of LTE protocol. However, security controls that Mercedes-Benz implemented prevented attacks from baseband or LTE’s downgrade to GSM (to hijacking vehicle control commands).

Anyway, the experts didn’t find a way to compromise the T-Box, they only demonstrated
how to send arbitrary CAN messages from T-Box and bypass the code signing mechanism to fash a custom SH2A MCU firmware by utilizing a vulnerability in SH2A firmware on a debug version T-Box.

In their report, the researchers describe both successful and unsuccessful attack attempts, while also providing extensive technical details of the hardware and software they tested.

Experts reported the vulnerabilities to Daimler in November 2020 and the carmaker released security patches starting from late January 2021.

“This report showed how we performed our security research on MercedesBenz’s newest infotainment system, MBUX. In order to complete some attack chains, We analyzed many attack surfaces and successfully exploited some of the attack surfaces on head unit and T-Box.” concludes the report. “For head unit, we demonstrated what the attacked could do in a compromised head unit system for two attack scenarios, the removed head units and the real-world vehicles”

In August 2020, a team of Chinese experts from Sky-Go, the Qihoo 360 division focused on car hacking, discovered 19 vulnerabilities in a Mercedes-Benz E-Class, including some issues that can be exploited by attackers to remotely hack a vehicle.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Mercedes)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment