Mercedes-Benz E-Class cars were vulnerable for remote hacking
Published on : Monday 10-08-2020
It is not new automotive industries are on the target of cybercriminals. Just before few months in December 2019, FBI warned about hackers were targeting the U.S. automotive industry. You can see many such cyber news almost every month.
These vulnerabilities have few issues using which even cybercriminal could have remotely hack the vehicle.
The experts analyzed a Mercedes E-Class model because it is a connected car with a powerful infotainment system with a rich set of functionalities.
This research was in progress since 2018. Before few days, during the Black Hat cybersecurity conference, representatives of Sky-Go and Daimler officially disclosed the findings of their research. It was not publicly disclosed with the technical details just to prevent any cyber-attacks using it. Here is chain of research event and fixes according to report published.
According to researchers, it has impacted to all Mercedes-Benz connected cars in China over 2 million. Researchers were able to get access to invoke remote service to
control the car, like control the doors, lights, windows, engines without physical access.
- July 16, 2018: Start Reverse Engineering on Mercedes-Benz Cars (360)
- Aug 21, 2019: The findings reported to Daimler (360)
- Aug 23, 2019: The services shutdown: preventing further effect on MB cars (Mercedes-Benz)
- Aug 26, 2019: Initial fix (Mercedes-Benz)
- Sep 12, 2019: All access vulnerabilities fixed (Mercedes-Benz)
- Oct 23, 2019: Joint workshop (360 & Mercedes-Benz)
- Aug 06, 2020: Black Hat USA Publication (360 & Mercedes-Benz)
Security researchers performed three step approach on Connected Cars.
First of all, they worked on how to build a testbench with relevant intelligent components at a low cost. Next, they designed an attack chain from the outside to the inside of the vehicle based on this testbench. Thirdly, they performed the attack chain in a genuine car. This is how they researched a Mercedes-Benz E-Class car and found the vulnerabilities.
They were able to exploit the flaws to remotely unlock the car’s doors and start the engine of a Mercedes-Benz E-Class. According to the experts, the flaw could have affected 2 million vehicles only in China.
They initially collected relevant information from the target devices, such as network topology, pin definitions, chip model, and enable signals in the car. Then researchers disassembled the center panel in the car to analyze the wiring connections between the Electronic Control Units (ECUs).
They did the analysis of the file system of the car’s TCU (Telematics Control Unit). In that tests they gained access by obtaining an interactive shell with root privileges, and later they were able to uncover passwords as well as certificates for its backend server. Further, researchers were also able to gain access to backend servers by analyzing the vehicle’s eSIM (embedded SIM) card used for the external connectivity.
Researchers also noticed that there was lack of authentication between the backend servers and the “Mercedes me” mobile app, which allows users to remotely control multiple functions of the car. Once they got access to the backend, they could even control any car in the China.
The experts added that they couldn’t hack any critical safety functions of the tested vehicles.
It is really important that industries should invest proactively to implement Cybersecurity Testing cycle for their products. It is very helpful to fix open vulnerabilities and safegaurd your brand value by securing end user experience.
Shekhar Ashok Pawar is CEO of GrassDew IT Solutions Pvt Ltd which is primarily focused on Cybersecurity Assessment & Audits, IT Consulting, Customised Software Development and Software Products. With more than 15 years of international experience, he is CISA, CEH, CHFI, MCP, Blockchain Developer, Dip Cyber Laws, CMMi Level 5 ATM & ISO 27001 LA. He is also certified H/W & S/W expert for Mobile Phones, Computers and CCTV cameras. He did Executive Management (SJMSOM, IIT-Bombay), after Engineering in Electronics & Telecommunications, Mumbai. He is also certified for "Digital Signal Processor & Applications" by Analog Devices - DSP Learning Center, IIT Madras.
He is lead contributor to GrassDewPanther @ LinkedIn which is focused on sharing global cyber threats and related news. Shekhar's recent book “Air Team Theory: Understanding 10 Types of Team Mates and Best Practices to Succeed” was published in January 2020 and is a hot-seller on Amazon.