In the past years, we have analyzed the security of connected vehicles from top brands worldwide, such as BMW[1], Lexus[2], and Tesla[3][4][5]. Mercedes-Benz is also a great vehicle vendor, which is producing the most advanced cars in the world. It is worthwhile to study cars made by Mercedes-Benz. Mercedes-Benz's latest infotainment system is called Mercedes-Benz User Experience(MBUX). Mercedes-Benz first introduced MBUX in W177 MercedesBenz A-Class[6] and adopted MBUX in their entire vehicle line-up, including Mercedes-Benz C-Class, E-Class, S-Class, GLE, GLS, EQC, etc. MBUX is powered by Nvidia's high-end autonomous vehicle platform. Many cutting-edge technologies presented on this system, such as virtualization, TEE, augmented reality, etc. Earlier this year, Qihoo 360 published their research on Mercedes-Benz [7], which mainly focused on Mercedes-Benz 's T-Box, instead of the central infotainment ECU: head unit. The test bench showed in their presentation was built with an NTG5 head unit, which is a bit old. In MBUX, the tested head unit version is NTG6 (being used in A-, E-Class, GLE, GLS and EQC). Our research was based on this brand new system MBUX, NTG6 head unit, and vehicle W177. In our research, we analyzed many attack surfaces and successfully exploited some of them on head unit and T-Box. By combining some of them, we can compromise the head unit for two attack scenarios, the removed head units and the real-world vehicles. We showed what we could do after we compromised the head unit. Figure 1.1 demonstrates the compromisation of an actual car. We didn't find a way to compromise the T-Box. However, we demonstrated how to send arbitrary CAN messages from T-Box and bypass the code signing mechanism to fash a custom SH2A MCU firmware by utilizing the vulnerability we found in SH2A firmware on a debug version T-Box.
Download PDF: https://keenlab.tencent.com/en/whitepapers/Mercedes_Benz_Security_Research_Report_Final.pdf