Skip to content

Experts find security flaws in Mercedes-Benz infotainment systems

  • by
  • 2 min read

Experts from Security firm SecureLabs have disclosed over a dozen security vulnerabilities in the Mercedes-Benz infotainment system dubbed Mercedes-Benz User Experience (MBUX). The flaws include DDoS attacks, data extraction, command injection, and privilege escalation vulnerabilities.

The Kaspersky-owned security firm builds upon previous research done by a Chinese security company, KeenLab, which published its findings in 2021. The vulnerabilities found have been assigned CVE identifiers from 2023 and 2024, but SecurityWeek reports Mercedes-Benz has been aware of the issues since August 2022.

SecureLabs’ report claims that attackers can exploit some of the discovered security vulnerabilities to disable anti-theft features of the system. These vulnerabilities can also be exploited for the potential benefit of the user, such as enabling custom tuning on the car or even unlocking paid services. That said, since the attacks can only be carried over a USB or custom UPC connection to the car, an attacker needs physical access to the targeted vehicle to exploit any vulnerabilities.

The tests were conducted on the first version of the MBUX. Given that the automotive giant has updated its systems to MBUX version 2.2, most vulnerabilities have likely been patched. However, any cars running the first MBUX version are still potential targets. MBUX updates can be downloaded OTA (over the air) from the infotainment system or via an external USB stick.

Mercedes-Benz also has a vulnerability disclosure program, which it encourages security researchers to use to disclose vulnerabilities in its systems adequately. However, some vulnerabilities slip by, and there have been reports of similar vulnerabilities being exploited in the wild to remotely hack these cars. The company’s infrastructure has also been attack in the past. In 2024, researchers discovered that a leaked GitHub token gave access to all source code stored in the company’s GitHub Enterprise server.

In the News: Canon’s new live streaming app switches between camera angles

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>