Mercedes-Benz Infotainment System (IVI) Vulnerabilities

How KasperskyOS Safeguards Today’s Connected Cars
Mercedes-Benz Infotainment System (IVI) Vulnerabilities

The Kaspersky team has conducted a comprehensive security analysis of the subsystems within the first-generation Mercedes-Benz infotainment system, building on earlier work by Tencent Keen Security Lab. (It’s worth noting that although these first-generation systems are not the newest, they remain widely used due to the long lifespan of vehicles.) The study was carried out on a real Mercedes B180 car using a proprietary hardware and software testing platform. This enabled researchers to identify architectural flaws in the infotainment system and demonstrate how these vulnerabilities could be exploited by attackers.

One of the key security concerns with the Mercedes-Benz User Experience (MBUX) system lies in its reliance on legacy components and communication protocols, such as thriftme, MoCCA, and GCF. These elements significantly expand the attack surface for potential threats. Vulnerabilities are often found at the intersection of data processing, command execution, and transcoding, making defence challenging without a systematic approach. Notably, Kaspersky researchers exploited a known Polkit vulnerability (CVE-2021-4034), which allowed privilege escalation and administrative access to the system.

The study focused on attacks within the near perimeter—requiring physical access via USB or diagnostic tools—but it still highlighted critical weaknesses inherent in modern infotainment systems. At the lower end of the spectrum, these vulnerabilities could enable a car owner to unlock certain paid features without payment. However, on a more serious level, attackers could exploit these flaws to disable vital safety systems, such as anti-theft mechanisms, airbags, or stability control. Such risks pose a significant threat to the safety and well-being of both the driver and passengers.

Additional risks stem from the system’s architecture, which is built on the monolithic Linux kernel. With its 30 million lines of code, identifying vulnerabilities becomes an immensely complex task, and the system is inherently more exposed to attacks on privileged processes. Modern infotainment systems, including MBUX, offer extensive functionality and support numerous interfaces, including third-party applications. However, integrating functions such as Wi-Fi hotspot control and anti-theft systems within the same module as multimedia raises concerns. The use of three separate service brokers (thriftme, MoCCA, and GCF) further complicates efforts to secure the system.

According to KasperskyOS specialists, who develop systems to protect modern connected cars, it is essential to separate security functions, unify service brokers, and implement the network gateway as a standalone component based on a more secure operating system, such as KasperskyOS. This approach minimises the attack surface, simplifies codebase auditing, and ensures a high level of trust in critical vehicle functions.

These principles are already realised in the Kaspersky Automotive Secure Gateway (KASG), a product designed to control access to vehicle functions, cloud connectivity, and other critical interfaces via a dedicated Secure Gateway unit.

How KASG Could Have Prevented the Threats Identified in the MBUX System

Secure Boot. KASG verifies the boot status of all critical components, including CAN traffic routing. This ensures that attacks on body control units are prevented and critical vehicle functions remain secure from tampering.

UDS Routing. By utilising modern authorisation mechanisms, such as SID 0×29 and Digital Key, KASG significantly reduces the risk of vulnerabilities being exploited in the system. This approach is far more robust than the legacy methods employed in the first-generation MBUX system.

Integration with Vehicle SOC. KASG transmits data on attempted attacks to a Security Operations Centre (SOC). Any Verified Boot violations or unauthorised accesses are promptly logged and forwarded to the SIEM system, enabling swift responses from security analysts.

OTA Upgrades. KASG supports centralised over-the-air updates for components, allowing vulnerabilities to be addressed in a timely manner. This proactive approach minimises the risk of repeated attacks and ensures ongoing operational security for the entire fleet.

A Cyberimmune Approach to Development: Constructive Security

The constructive security principles implemented in KasperskyOS enable effective isolation of critical system components and minimise the attack surface. By isolating domains, controlling their interactions, and reducing the trusted code base, this approach ensures a high level of system resilience against attacks. This methodology is what we term cyberimmunity.

For instance, if the MBUX system were built on KasperskyOS, the Polkit vulnerability could not have been exploited due to the strict isolation of privileged processes. Similarly, utilising the Kaspersky Automotive Secure Gateway (KASG) to manage security features would protect the car from attacks targeting anti-theft systems or paid features.

It is evident that modern infotainment systems require a fundamental rethinking of their security approaches. Outdated technologies and insufficient privilege isolation leave systems vulnerable to attacks, jeopardising both vehicle functionality and the safety of their owners.

KasperskyOS and Kaspersky Automotive Secure Gateway provide clear solutions to these challenges. They ensure a high level of trust in critical vehicle functions, not only minimising risks but also simplifying security management. These advancements make modern cars both more reliable and more secure.

Mercedes-Benz Infotainment System (IVI) Vulnerabilities

The Kaspersky team has conducted a comprehensive security analysis of the subsystems within the first-generation Mercedes-Benz infotainment system, building on earlier work by Tencent Keen Security Lab. (It’s worth noting that although these first-generation systems are not the newest, they remain widely used due to the long lifespan of vehicles.) The study was carried out on a real Mercedes B180 car using a proprietary hardware and software testing platform. This enabled researchers to identify architectural flaws in the infotainment system and demonstrate how these vulnerabilities could be exploited by attackers.

One of the key security concerns with the Mercedes-Benz User Experience (MBUX) system lies in its reliance on legacy components and communication protocols, such as thriftme, MoCCA, and GCF. These elements significantly expand the attack surface for potential threats. Vulnerabilities are often found at the intersection of data processing, command execution, and transcoding, making defence challenging without a systematic approach. Notably, Kaspersky researchers exploited a known Polkit vulnerability (CVE-2021-4034), which allowed privilege escalation and administrative access to the system.

The study focused on attacks within the near perimeter—requiring physical access via USB or diagnostic tools—but it still highlighted critical weaknesses inherent in modern infotainment systems. At the lower end of the spectrum, these vulnerabilities could enable a car owner to unlock certain paid features without payment. However, on a more serious level, attackers could exploit these flaws to disable vital safety systems, such as anti-theft mechanisms, airbags, or stability control. Such risks pose a significant threat to the safety and well-being of both the driver and passengers.

Additional risks stem from the system’s architecture, which is built on the monolithic Linux kernel. With its 30 million lines of code, identifying vulnerabilities becomes an immensely complex task, and the system is inherently more exposed to attacks on privileged processes. Modern infotainment systems, including MBUX, offer extensive functionality and support numerous interfaces, including third-party applications. However, integrating functions such as Wi-Fi hotspot control and anti-theft systems within the same module as multimedia raises concerns. The use of three separate service brokers (thriftme, MoCCA, and GCF) further complicates efforts to secure the system.

According to KasperskyOS specialists, who develop systems to protect modern connected cars, it is essential to separate security functions, unify service brokers, and implement the network gateway as a standalone component based on a more secure operating system, such as KasperskyOS. This approach minimises the attack surface, simplifies codebase auditing, and ensures a high level of trust in critical vehicle functions.

These principles are already realised in the Kaspersky Automotive Secure Gateway (KASG), a product designed to control access to vehicle functions, cloud connectivity, and other critical interfaces via a dedicated Secure Gateway unit.

How KASG Could Have Prevented the Threats Identified in the MBUX System

Secure Boot. KASG verifies the boot status of all critical components, including CAN traffic routing. This ensures that attacks on body control units are prevented and critical vehicle functions remain secure from tampering.

UDS Routing. By utilising modern authorisation mechanisms, such as SID 0×29 and Digital Key, KASG significantly reduces the risk of vulnerabilities being exploited in the system. This approach is far more robust than the legacy methods employed in the first-generation MBUX system.

Integration with Vehicle SOC. KASG transmits data on attempted attacks to a Security Operations Centre (SOC). Any Verified Boot violations or unauthorised accesses are promptly logged and forwarded to the SIEM system, enabling swift responses from security analysts.

OTA Upgrades. KASG supports centralised over-the-air updates for components, allowing vulnerabilities to be addressed in a timely manner. This proactive approach minimises the risk of repeated attacks and ensures ongoing operational security for the entire fleet.

A Cyberimmune Approach to Development: Constructive Security

The constructive security principles implemented in KasperskyOS enable effective isolation of critical system components and minimise the attack surface. By isolating domains, controlling their interactions, and reducing the trusted code base, this approach ensures a high level of system resilience against attacks. This methodology is what we term cyberimmunity.

For instance, if the MBUX system were built on KasperskyOS, the Polkit vulnerability could not have been exploited due to the strict isolation of privileged processes. Similarly, utilising the Kaspersky Automotive Secure Gateway (KASG) to manage security features would protect the car from attacks targeting anti-theft systems or paid features.

It is evident that modern infotainment systems require a fundamental rethinking of their security approaches. Outdated technologies and insufficient privilege isolation leave systems vulnerable to attacks, jeopardising both vehicle functionality and the safety of their owners.

KasperskyOS and Kaspersky Automotive Secure Gateway provide clear solutions to these challenges. They ensure a high level of trust in critical vehicle functions, not only minimising risks but also simplifying security management. These advancements make modern cars both more reliable and more secure.