Mercedes-Benz MBUX Infotainment System’s Vulnerabilities Are Now Patched
Published
- Over a dozen vulnerabilities discovered in a Mercedes-Benz infotainment system have been addressed in a security bulletin.
- These include buffer overflow, privilege escalation, denial-of-service attacks, code injection, and more.
- The identified vulnerabilities affect the first-generation MBUX system and have now been patched.
Mercedes-Benz has addressed over a dozen security vulnerabilities discovered in its first-generation infotainment system, the Mercedes-Benz User Experience (MBUX). The security flaws have been patched and are not straightforward to exploit.
Russian cybersecurity firm Kaspersky detailed its newly identified vulnerabilities alongside advisories addressing each issue. The investigation into the MBUX builds upon research conducted by a Chinese team that initially revealed findings about the system in 2021.
The identified vulnerabilities affect the first-generation MBUX system and range in severity. According to Kaspersky, several flaws can enable denial-of-service (DoS) attacks, while others allow attackers to obtain sensitive data, conduct command injection, and escalate system privileges.
Significantly, Kaspersky revealed that an attacker with physical access to the vehicle could manipulate certain vulnerabilities to bypass anti-theft protections, perform vehicle tuning, or unlock restricted paid services.
These attacks required direct access to the car's head unit via USB or custom UPC (universal programming cable) connections.
All identified vulnerabilities have been assigned 2023 and 2024 CVE identifiers. However, Mercedes-Benz has indicated that the carmaker was alerted to the vulnerabilities in 2022 and has since addressed them.
"The topic described by the researchers requires physical access to the vehicle on site as well as access to the interior of the vehicle. In addition, the head unit has to be removed and opened. Newer versions of the infotainment system are not affected,” a Mercedes-Benz spokesperson explained.
Mercedes-Benz also highlighted its ongoing vulnerability disclosure program, which encourages researchers to report any findings. Yet, this is not the first time Mercedes-Benz has faced cybersecurity scrutiny.
The CVE details will be published on GitHub. During the process of vulnerability disclosure with the vendor, the following CVE IDs were assigned:
- CVE-2024-37602
- CVE-2024-37600
- CVE-2024-37603
- CVE-2024-37601
- CVE-2023-34406
- CVE-2023-34397
- CVE-2023-34398
- CVE-2023-34399
- CVE-2023-34400
- CVE-2023-34401
- CVE-2023-34402
- CVE-2023-34403
- CVE-2023-34404
Related
Most Popular
Most Popular