Security bugs let these car hackers remotely control a Mercedes-Benz

Zack Whittaker
·4-min read
DETROIT, MI - JANUARY 10: Mercedes introduces their new E-Class during a media preview before the start of the North American International Auto Show (NAIAS) on January 10, 2016 in Detroit, Michigan. The show is open to the public from January 16-24. (Photo by Scott Olson/Getty Images)
DETROIT, MI - JANUARY 10: Mercedes introduces their new E-Class during a media preview before the start of the North American International Auto Show (NAIAS) on January 10, 2016 in Detroit, Michigan. The show is open to the public from January 16-24. (Photo by Scott Olson/Getty Images)

Few could ever forget back in 2015 when security researchers Charlie Miller and Chris Valasek remotely killed a Jeep's engine on a highway with a Wired reporter at the wheel.

Since then, the car hacking world has bustled with security researchers looking to find new bugs — and ways to exploit them — in a new wave of internet-connected cars that have only existed the past decade.

This year's Black Hat security conference — albeit virtual, thanks to the coronavirus pandemic — is no different.

Security researchers at the Sky-Go Team, the car hacking unit at Qihoo 360, found more than a dozen vulnerabilities in a Mercedes-Benz E-Class car that allowed them to remotely open its doors and start the engine.

Most modern cars are equipped with an internet connection, giving passengers access to in-car entertainment, navigation and directions, and more radio stations than you can choose from. But hooking up a car to the internet puts it at greater risk of remote attacks — precisely how Miller and Valasek hijacked that Jeep, which ended up in a ditch.

Although vehicle security has gotten better over the past half-decade, Sky-Go's researchers showed that not even one of the most recent Mercedes-Benz models are impervious to attacks.

In a talk this week, Minrui Yan, head of Sky-Go's security research team, said the 19 security vulnerabilities were now fixed, but could have affected as many as two million Mercedes-Benz connected cars in China.

Katharina Becker, a spokesperson for Mercedes' parent company Daimler, pointed to a company statement published late last year after it patched the security issues. The spokesperson said Daimler could not corroborate the estimated number of affected vehicles.

"We addressed all findings and fixed all vulnerabilities that could be exploited before any vehicle in the market was affected," said the spokesperson.

After more than a year of research, the end result was a series of vulnerabilities that formed an attack chain that could remotely control the vehicle.

To start, the researchers built a testbench to reverse-engineer the car's components to look for vulnerabilities, dumping the car's software and analyzing the car's internals for vulnerabilities.

The researchers then obtained a Series-E car to verify their findings.

At the heart of the research is the E-Series' telematics control unit, or TCU, which Yan said is the "most crucial" component of the car, as it allows the vehicle to communicate with the internet.

By tampering with the TCU's file system, the researchers got access to a root shell — a way to run commands with the highest level of access to the vehicle's internals. With root shell access, the researchers could remotely open the car's doors.

The TCU file system also stores the car's secrets, like passwords and certificates, which protect the vehicle from being accessed or modified without proper authorization. But the researchers were able to extract the passwords of several certificates for several different regions, including Europe and China. By obtaining the vehicle's certificates and their passwords, the researchers could gain deep access to the vehicle's internal network. The car's certificate for the China region had a weak password, Yan said, making it easier to hijack a vulnerable car in the country.

Yan said the goal was to get access to the car's back end, the core of the vehicle's internal network. As long as the car's back-end services can be accessed externally, the car is at risk of attacks, the researchers said.

The way the researchers did this was by tearing down the vehicle's embedded SIM card, which allows the car to talk to the cell networks. A security feature meant the researchers couldn't plug the SIM into a router without freezing access to the cell network. The researchers modified their router to spoof the vehicle, effectively making the cell network think it was the car.

With the vehicle's firmware dumped, the networking protocols understood and its certificates obtained and cracked, the researchers say they could remotely control an affected vehicle.

The researchers said the car's security design was tough and able to withstand a number of attacks, but it was not impervious.

"Making every back-end component secure all the time is hard," the researchers said. "No company can make this perfect."

But at least in the case of Mercedes-Benz, its cars are a lot more secure than they were a year ago.

Send tips securely over Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: zack.whittaker@protonmail.com