Mercedes-Benz security bug — a sign of connected vehicle security issues?

• A new cohort of internet-connected vehicles are emerging as digital-first designs are dominating
• A group of researchers revealed how security flaws in connected vehicles can be exploited

The automotive industry has undergone one of the most dramatic digital transformations. Car keys and car manuals are taking on digital formats, and autonomous vehicles that interact with their surroundings via 5G technology are on the express lane to commercialization. 

The upshot is that cars are becoming increasingly connected, and that spells huge opportunities for the advancement of personal transportation and logistics. But this connectivity also opens vehicles up to new vulnerabilities, namely cyber threats.

Last year, Mercedes announced that it had patched security issues found in its vehicles, and a recently-published report revealed researchers had found 19 vulnerabilities in a Mercedes E-Class car. 

A team of security researchers at the Sky-Go Team detailed the way they were able to form an attack chain and remotely take control of the vehicle. The head of Sky-Go’s security research team, Minrui Yan, shared the findings at this year’s Black Hat security conference, as reported in TechCrunch.

The security team was able to analyze the car’s internal for vulnerabilities, tamper with the vehicle’s TCU (a component that allows the vehicle to communicate with the internet) and extract sensitive data such as passwords and certificates from the vehicle. By doing so, the researchers were able to gain deeper access to the vehicle’s internal network. In the end, the team could remotely control the affected vehicle and execute commands like opening the doors and starting the engine.

The researchers concluded that the car’s security design was tough and could withstand several attacks, but it was not impervious. 

Current findings are worrying, and seem to show that — despite the rapid development of autonomous vehicles for both the commercial and consumer markets — cybersecurity still isn’t being given the serious consideration it deserves.

In May, resold Tesla units were found to contain previous owner’s personal data after evidence revealed Tesla doesn’t routinely erase personal data from replaced components. The discovered data includes home and work location, saved wifi passwords, calendar entries from phones, and other personal details such as call lists as well as address books — all of which can be exploited by hackers. 

Essentially, the incident illustrates how a key player in the autonomous vehicle landscape could overlook such a vital aspect of cybersecurity and if a premature cybersecurity framework could lead to more dire consequences in the future. 

The principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre), Tim Mackey told TechHQ that proper management of data such as restraining the access to data and ensuring stored data is deleted during customer replacement is “a high priority.”

He reiterated the significance of these practices as we embark in a world of connected vehicles on the road. 

As more connected cars become the norm, cybercriminals are taking advantage of shared information protocols such as vehicle-to-vehicle (V2V) and vehicle-to-everything (V2X). Bad actors can glean and exfiltrate streams of data from these protocols, posing high-security risks for the driver and vehicle. Hence, cybersecurity should be at the heart of designing and developing connected vehicles. 

As autonomous vehicle technology becomes more advanced and sophisticated over the course of the next few years, so too will attackers. When fleets of driverless 18-wheelers are crossing our countries, society will need to be assured that they are unhackable.