A team of Chinese researchers described the process of analysis that led to the discovery of 19 vulnerabilities in a Mercedes-Benz E-Class including bugs that can be exploited to hack a car remotely.
Starting in 2018 the research was conducted by Sky-Go, Chinese security solutions provider Qihoo 360 ‘s vehicle cybersecurity unit. The findings were disclosed in August of last year to Daimler, who owns the Mercedes-Benz brand. The car maker patched the safety holes and announced it had joined forces with the Sky-Go team in December 2019 in an effort to improve the safety of its vehicles.
Sky-Go and Daimler representatives released the findings at the Black Hat cybersecurity conference this week, and issued a research paper describing the results. Nevertheless, some information to protect Daimler’s intellectual property and to prevent malicious abuse was not made public.
The researchers conducted their work on a real Mercedes-Benz E-Class and showed how a hacker could have unlocked the car’s doors remotely and started its engine. The experts estimated 2 million vehicles in China could have been affected by the vulnerabilities.
Sky-Go said it is targeting the E-Class, described by Mercedes as the smartest business saloon, for its infotainment system, which has the most connectivity features.
The investigators disassembled the center panel and analyzed the head unit, the telematics control unit (TCU), and the backend of the vehicle.
They found passwords and certificates for the backend server in the vehicle’s file system TCU, to which they obtained access by receiving an interactive shell with root privileges.
“The backend to the car is the heart of connected vehicles,” explained the researchers. “As long as the assets of the car backend can be accessed externally, this means the car backend is in danger of being attacked. The vehicles connected to the backend of this car are also in danger.
After analyzing the vehicle’s embedded SIM (eSIM) card which is typically used to provide connectivity, identify a car, and encrypt communications, they ultimately gained some access to backend servers.
The issue was that backend servers didn’t authenticate requests from the mobile app called “Mercedes me,” which allows users to access the vehicle remotely and control different functions. When they got access to the backend, the researchers believed they could monitor any car in China.
That vulnerability could have been exploited by a hacker to remotely lock and unlock the doors, open and close the roof, activate the horn and lights, and even start the engine in some cases. The researchers said that they failed to hack any important safety features.
The TCU and backend were impacted by a number of the 19 vulnerabilities identified by the Sky-Go team, with a few of them located in the head unit and other components. Such CVE identifiers have been allocated to the TCU flaws.