Lessons Drawn from Mercedes-Benz CAV Software Bug Issues

In 2019, Mercedes-Benz revealed that it had patched security issues found in its vehicles.

A report reveals that Sky-Go’s researchers had found 19 vulnerabilities in a Mercedes E-Class car. The findings raise the concern that the cyber-security for connected and autonomous vehicles (CAVs) is not being taken seriously enough. Jia Jen Low, writing for TechHQ in her 12^th August 2020 article, Mercedes-Benz security bug — a sign of connected vehicle security issues? comments: “Last year, Mercedes announced that it had patched security issues found in its vehicles, and a recently-published report revealed researchers had found 19 vulnerabilities in a Mercedes E-Class car.  A team of security researchers at the Sky-Go Team detailed the way they were able to form an attack chain and remotely take control of the vehicle.”

She adds: “The security team was able to analyze the car’s internal for vulnerabilities, tamper with the vehicle’s TCU (a component that allows the vehicle to communicate with the internet) and extract sensitive data such as passwords and certificates from the vehicle. By doing so, the researchers were able to gain deeper access to the vehicle’s internal network. In the end, the team could remotely control the affected vehicle and execute commands like opening the doors and starting the engine.”

Securing collaborations

The automaker’s parent company, Daimler, reports that the bugs have since been fixed. To tackle IT security issues such as these ones, it also reveals that Mercedes-Benz and international information security company 360 Group have joined forces to work together to strengthen car IT security for industry.

To protect the safety of its customers in its vehicles it is now using the 360 Cyber Security Brain, which it describes as “an advanced system that realizes the intelligent upgrade of cyber-security defense, includes different kind of security capabilities supported by different security research teams from 360 Group.”

Resolve bugs quickly

There may, nevertheless, be some lessons to be learned from Mercedez-Benz’s experience. Daniel Cuthbert, member of the Black Hat Review Board and the Global Head of Cyber Security Research at Banco Santander, comments on how important it is to prevent and resolve software bugs quickly and how about they can present a security problem to CAVs:

“If we look at the history of the Internet with regards to bugs, how they are weaponized by those wanting to do evil things with, it doesn’t take a genius to see that anything found to be vulnerable in a 2-tonne car traveling at speed, needs to be taken seriously. CAVs not only have the safety element to think about but also the privacy one too. I don’t want my car tracking me, where I go and how I drive and utilizing that data in a way I’m unable to prevent.”

Security, seriously?

On the question of whether car manufactures are taking IT and cyber-security seriously, he says there has certainly been a change in recent years. To him the turning point was when Toyota their new car hacking tool, called PASTA (Portable Automotive Security Testbed) in 2018.

“This was amazing as it showed a huge carmaker embracing the hacking community by not only talking at Blackhat but also releasing code for those interested to play with PASTA,” he says. In his view this has opened the floodgates to taking security seriously. It led to a joint effort, for example, with BMW and Tencent Keen Security Lab “talking about the vulnerabilities that were discovered and how BMW resolved them”. Mercedes-Benz has done the same and ,so he thinks, “this shows…that security is being taken seriously finally, which is a good thing”.

Vulnerabilities: nothing new

Talking about the key lessons from the Mercedes-Benz experience, and putting the vulnerabilities into the context of the internet and the World Wide Web, he believes what happened wasn’t “that fancy at all and we’ve been hearing about such vulnerabilities for decades”. However, with cars increasingly connected to the internet as part of the Internet of Things (IoT), the incidents are making headlines.

Cuthbert says this will inevitably make the pubic ask questions, such as: “Can my car be hacked by anyone whilst I’m driving?”; or “Can someone steal it from another country?” It would be reassuring to know that, in his experience, the answer is more than often a resounding, “No.” He suggests that cars aren’t going to be controlled by an evil hacker, from perhaps a shady country.

He says the researchers even admitted that themselves. The car’s design was found to be touch with the ability to withstand several attacks but it was by no means impervious. However, he admits that embedding security into the lifecycle is a struggle “we all face…there is no silver bullet or product we can buy to make things magically secure”.

“Shifting left, as all the cool kids call it today, is about bringing security into the process at the start of design and manufacturing, not at the end. It’s also about bringing in the right people, this is one area where you can’t automate and lean on artificial intelligence to save you.”

Improving security

To improve cyber-security and data protection, he believes there is something “unique or special that car manufacturers can do” because finds that £there is a strong community of those pushing out standards and guidance that can be leveraged.” In the UK, this includes, The Department for Digital, Culture, Media & Sport (DCMS), which has release a ‘call for views’ as part of its Secure by Design agenda. It’s about how interconnected products should be designed in order to safeguard consumers.

He adds: “OWASP is another organization that has decades of experience in helping those embrace embedded security in the application space, and the Application Security Verification Standard (ASVS) one I’m a co-author of, has helped millions of people design and test systems.”

In conclusion, he says the key to making sure CAVs are more secure is to ask, as Mercedes-Benz have done, for help. It’s also important to embrace the work of others, without being afraid to admit that usable and secure products aren’t easy to create. So, he argues that’s what car manufacturers need to when connecting cars to the web.