Tencent Security Keen Lab identified five vulnerabilities in Mercedes-Benz smart cars, four of which could be exploited for remote code execution.
Researchers conducted an eight-month-long audit of the latest Mercedes-Benz User Experience (MBUX) infotainment system, initially introduced in A-class vehicles in 2018 and later adopted in all Mercedes vehicles.
Researchers note by exploiting any of the five vulnerabilities – CVE-2021-23906, CVE-2021-23907, CVE-2021-23908, CVE-2021-23909, and CVE-2021-23910, hackers can get remote control of some of the car’s functions, but not control of physical features, such as steering or braking systems.
The security researchers have successfully compromised the head unit in real-world connected vehicles and also exploited Mercedes-Benz’s T-Box.
According to the Keen Team researchers, the vulnerabilities stemmed from the outdated Linux kernel that they found susceptible to specific attacks. Also, it could be exploited via the included browser’s JavaScript engine, and flaws in the Wi-Fi chip, USB functions, Bluetooth stack, or third-party apps communicating with remote servers.
Researchers say the head unit had a series of heap overflow vulnerabilities, two of them could lead to memory leaks and code execution. In addition, an attacker could use a remote shell by exploiting a vulnerability in the native browser. They also noted the lack of SELinux or AppArmor that could allow an attacker to abuse a Linux kernel flaw for privilege escalation.
Having set up a persistent web shell with root privileges, the researchers could control certain car functions, unlocked the vehicle’s anti-theft protection, and injected a persistent backdoor.
The researchers were able to control the vehicle’s light system: adjust the ambient light in the vehicle, the reading lights, the back-seat passenger lights. They also could open the sunshade cover. But, researchers noted, they were not able to take control of the vehicle.
Besides the bugs in the main infotainment system, the researchers discovered two bugs in the T-Box. One could allow code execution on the chip that receives messages from the CPU. They have also patched the firmware on the chip for persistence.
The researchers provided all the technical details of the hardware and software they tested in their report.
They reported the identified vulnerabilities to the vendor in November 2020. The smart vehicle manufacturer started rolling out patches in late January 2021.