Vulnerabilities found in Mercedes-Benz cars

After an eight-month audit of the computer system code in Mercedes-Benz vehicles, security researchers from the Tencent Security Keen Lab identified five vulnerabilities. Four out of five problems are critical and exploiting them allows code to be executed remotely.

The vulnerabilities were found in the Mercedes-Benz User Experience (MBUX), an infotainment system originally introduced on A-Class vehicles in 2018, but has since been rolled out across the manufacturer’s entire vehicle lineup.

Vulnerabilities (CVE-2021-23906, CVE-2021-23907, CVE-2021-23908, CVE-2021-23909, and CVE-2021-23910) allow hackers to remotely control certain vehicle functions, but without access to physical characteristics such as steering control or braking system.

The researchers found the use of an outdated Linux kernel at risk of certain attacks, vulnerabilities in the browser’s built-in JavaScript engine, and the potential impact of vulnerabilities in the Wi-Fi processor, Bluetooth stack, USB functionality, or enabled third-party applications that communicate with remote servers.

Analysis of the host revealed a number of issues: heap overflow vulnerabilities, including two that can lead to memory leaks and code execution; the ability to configure a remote shell using a vulnerability in the provided browser; lack of SELinux or AppArmor, which allowed exploiting a vulnerability in the Linux kernel for privilege escalation.

After an initial compromise involving setting up a persistent web shell with superuser privileges, the researchers were able to unlock certain vehicle functions and disable anti-theft protection, implement a persistent backdoor, and even perform driving actions.

Experts reported the discovered vulnerabilities to Daimler (which owns Mercedes-Benz) in November 2020, and the company began distributing patches at the end of January 2021.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts