Vulnerability
sysops

Cybersecurity researchers have identified significant vulnerabilities within the Mercedes-Benz User Experience (MBUX) infotainment system, leading to unauthorized remote access capabilities. 

The Mercedes-Benz User Experience (MBUX) system serves as the sophisticated infotainment backbone for various models, including the A-Class, E-Class, GLE, GLS, and EQC. 

MBUX integrates advanced features such as voice recognition, augmented reality navigation, and comprehensive vehicle control interfaces, all structured around a complex software and hardware architecture designed to enhance user experience and safety.

Findings of Vulnerabilities

According to Keen Labs analysis, the researchers established a controlled test environment in which they meticulously analyzed both the hardware and software components of MBUX. 

The team identified and explored various potential entry points for exploitation, including core components such as the head unit and the telematics control unit (T-Box). Rigorous security assessments were performed, focusing on the modern complexities associated with infotainment systems.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free

The researchers discovered multiple security flaws within the latest infotainment system tracked as CVE-2021-23906, CVE-2021-23907, CVE-2021-23908, CVE-2021-23909, and CVE-2021-23910. 

These vulnerabilities grant unauthorized entities the ability to control certain functions of the car remotely; however, they do not extend to critical physical features like steering or braking systems.

This access allowed to manipulate several vehicle functionalities remotely, including:

changing internal lighting within the vehicle and displaying arbitrary images on the infotainment screen, potentially misleading drivers or passengers.

Notably, they successfully exploited vulnerabilities associated with the head unit and T-Box, enabling them to gain both physical and remote access to the main infotainment Electronic Control Unit (ECU). 

A critical moment in their investigation involved compromising an internal chip within the T-Box. The team demonstrated this exploit by sending arbitrary Controller Area Network (CAN) messages from a debug version of the T-Box, effectively showcasing how vulnerabilities in the T-Box can lead to remote vehicle manipulation.

In alignment with industry standards for responsible disclosure, the researchers promptly reported their findings to Daimler AG, the parent company of Mercedes-Benz. 

The company has initiated immediate steps to patch the identified vulnerabilities and enhance the security measures around the MBUX system. 

As vehicles become increasingly connected, the potential for exploitation rises, necessitating robust protective mechanisms. The findings serve as a wake-up call for manufacturers to invest in stronger security infrastructures, conduct regular assessments, and improve transparency regarding the security of their technologies.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Related Posts

A new AI tool named Vulnhuntr has been introduced, revolutionizing the way vulnerabilities are discovered in open-source projects. This innovative…

A proof-of-concept (PoC) exploit has been released for a high-severity Remote Code Execution (RCE) vulnerability in the Apache HugeGraph Server.…

Google has released a patch for a critical zero-day vulnerability, CVE-2024-32896, which was actively exploited in the wild. This vulnerability,…