The Mercedes-Benz E-Class went to market riddled with 19 vulnerabilities, which, among other things, could enable attackers to remotely unlock the car door and start its engine. Researchers say the flaws, detailed at Black Hat USA on Thursday, potentially impacted over 2 million Mercedes-Benz connected cars before they were fixed.
The E–Class is a range of executive cars manufactured by the German automaker, with in-vehicle infotainment systems and various connectivity functionalities. Researchers with the Sky-Go car threat research team, which is part of the security company 360 Group, initially reported the flaws to Mercedes-Benz on Aug. 21 of last year, and an initial fix was deployed on Aug. 26. The researchers have now publicly disclosed the vulnerabilities.
“We reported the flaws to Mercedez-Benz, we found about 19 vulnerabilities,” said Minrui Yan, head of the Sky-Go Team with 360 Group, presenting with Jiahao Li, researcher with 360 Group, at Black Hat. “The key impact is that we can send a ‘remote services’ commands to the car. We did see many security considerations in the Mercedes-Benz.”
Connected Car Features
Various security holes were discovered throughout the connectivity functionality architecture of the Mercedes-Benzes.
The first part of this architecture is the “Head-Unit,” or the infotainment system. Researchers specifically looked at the infotainment system in the Mercedes-Benz E300L model, code-named NTG-55 and designed by Mitsubishi Electronics. The system features multimedia functions and also connects to the “Mercedes Me” mobile application. This app allows users to monitor their vehicles in detail, including remotely starting, or locking and unlocking, their vehicle — or even noting how much fuel is in the tank. Researchers found one flaw in the Head-Unit, which has not yet been assigned a CVE.
Meanwhile, a critical communication intermediary between the external network and the in-vehicle network in the car is a Telematics Control Unit (TCU) called HERMES, which is short for Hardware for Enhanced Remote-, Mobility- & Emergency Services. Its functionalities include the ability to make emergency calls and informational calls, and support for remote diagnosis, local diagnosis, and more. But, it also contains a communication module that supports 3G and 4G networks, and can be set up with a short-range wireless network (Wi-Fi or Bluetooth) for the infotainment system. Researchers found six of the 19 flaws in the HERMES component (including CVE-2019-19556, CVE-2019-19560, CVE-2019-19562, CVE-2019-19557, CVE-2019-19561 and CVE-2019-19563).
Other flaws existed in the backend of the vehicle (nine flaws; eight of which had no CVE assigned and the ninth tied to CVE-2019-19558) and the operations system of the car (two flaws without CVEs assigned). Of note, in order to protect the intellectual property of Mercedes-Benz automaker Daimler, researchers disclosed limited security designs and code details.
In order to send remote-services commands, researchers probed the HERMES TCU system of the car, which they say is the most crucial component in the whole system, since it features the communication module that connects the in-vehicle infotainment network and the external network and Mercedes Me app.
In order to further inspect HERMES, researchers needed physical access to the system since the firmware wasn’t available on a vendor site or by proxying traffic. They physically opened the NAND flash storage containing the firmware using a ball-grid array (BGA) Rework Station with a socket that they made themselves.
Researchers then found that they were able to “tamper with the file system by adding an interactive shell with root privileges. We found an engineer-mode program for debugging the TCU system, with access to the CAN bus via operating the MCU [a chip-level microcontroller],” said researchers. “Thus, we can perform some operations for example, lock or unlock the doors.”
Researchers also found various other issues. For instance, TCU file systems stored the “pkcs12” client certificates, passwords and CA certificates for the car’s back-end server – and researchers were able to sniff out the encrypted password files for certificates, which had a suffix “.passwd.”
“The key of the certificate is encrypted to a file, so we can get the certificate key by compiling the decrypting tool with OpenSSL, obtaining the password of the certificate key. After decryption, the passwords of client certificate … can be obtained,” they said.
Researchers also found a server-side request forgery (SSRF) flaw on the back-end surface of the car’s infotainment system, in a feature of the complementary web application that allows users to add their social-media accounts to the system: “An SSRF vulnerability occurred in the back-end service, as the image provider failed to filter the parameters we input,” they explained. “The plugin developers have less consideration of the requested URL. For example, if we submit a local URL to the image provider, it’ll return the contents we requested. ”
Aside from remote lock and start, the researchers have not been able to access any safety-critical functions of the vehicle, they said during their session. Guy Harpak, head of Product Security for Mercedes-Benz R&D, said Mercedes-Benz took several incident response (IR) steps after learning of the vulnerabilities. These include selectively blocking services and providing immediate fixes; launching forensic investigations and deploying more long-term fixes.
“We have an example here of a strong research community working with a strong industry can bring better security,” Harpak said during the session.
As they become more connected, more and more vehicles are facing security holes. Previous researchers have discovered flaws in car infotainment systems, as well as the wares of specific automakers like Volkswagen, Jeep and more.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2 p.m. ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.