The luxury cars of Mercedes-Benz nowadays are now packing with technologies that were only subjects of sci-fi movies decades ago. However, as its cars are becoming more connected online, their vulnerability to hacking has increased. The security researchers of Sky-Go, the cybersecurity division of Chinese vendor Qihoo 360, found at least 19 security flaws in the Mercedes-Benz E-Class that would let them remotely access the key functions of the vehicle and even start its engine.
In 2017, a video surfaced showing two thieves in the UK using a relay hacking method to exploit the keyless entry system of a Mercedes car. It only took them less than 30 seconds to drive off with it. This is just one of the examples that Sky-Go demonstrated in its presentation at a recent Black Hat cybersecurity conference.
Sky-Go’s research with the three-pointed star brand started in 2018. Its researchers chose the Mercedes-Benz E-Class as their specimen because its “infotainment system has the most connectivity functionalities of all.” The people at the cybersecurity firm said they were able to hack into the car’s head unit, which gained them access to its telematics control unit (TCU) and the backend.
The researchers explained that Car Backend is the “core of Connected Cars.” They said that as long as it can be accessed through an external medium, it is at risk of getting attacked. With that, all other vehicles connected to the Car Backend are compromised too.
Without delving too much on the technical details, Sky-Go utilized the eSIM to get into its backend. The eSIM of the car is basically the vehicle’s gateway to the Internet and external servers. The same also allows the auto to be controlled remotely via the Mercedes Me smartphone app.
Due to the fact that requests sent by the mobile app to the backend lacked authentication, hackers can use the flaw to lock and unlock doors, open and close the roof, activate the lights, and start the engine. The researchers noted that they couldn’t bypass the car’s safety functions though.
Upon the discovery of the vulnerabilities, Sky-Go sent their findings to Daimler in August last year. Mercedes patched up the issues a month after.
Although the E-Class is safer, for now, thanks to Sky-Go, the security expert warned that “making every backend component secure all the time is hard. No company can make this perfect.”