Here's how hackers were able to remotely control a Mercedes E-Class.
As modern cars become more high-tech and connected than ever before, they also become more vulnerable to hackers trying to steal and control them remotely. Mercedes-Benz produces some of the most technologically advanced cars in the world loaded with cameras, sensors, and semi-autonomous technology to make them safer, but research has shown they aren't immune to security hacks. Security researchers from Sky-Go, the cybersecurity division of the Chinese security vendor Qihoo 360, recently discovered as many as 19 security flaws in the Mercedes E-Class.
During a recent Black Hat cybersecurity conference, Sky-Go demonstrated how these flaws could have been exploited to remotely access a number of the car's functions and even start the engine without even touching the car.
Sky-Go's research into Mercedes-Benz started back in 2018. The Mercedes E-Class was chosen because its "infotainment system has the most connectivity functionalities of all." As Sky-Go explains in a lengthy report, the researchers were able break into the car's head unit and access the telematics control unit (TCU) and the backend.
"Car Backend is the core of Connected Cars. As long as Car Backends' services can be accessed externally, it means that car backend is at risk of being attacked. The vehicles connecting to this Car Backend are in danger, too. So, our next step is to try to access Car Backend," Sky-Go's researchers explained.
Sky-Go's researchers were able to access the car's backend using the car's eSIM that connects to the internet, contact external servers, and allows some functions of the car to be controlled remotely using the Mercedes Me smartphone app.
Since the requests sent by the mobile app to the backend weren't authenticated, hackers would have been able to remotely lock and unlock the doors, open and close the roof, turn on the lights, and potentially start the engine remotely. However, the researchers were not able to hack any of the car's safety functions.
Potentially, these vulnerabilities could have affected over two million Mercedes-Benz connected cars in China. Fortunately, Sky-Go's discoveries were reported to Daimler in August 2019 and fixed one month later, so you can be rest assured that Mercedes cars are more secure than ever. However, Sky-Go warns that "making every backend component secure all the time is hard. No company can make this perfect."