Technical 20 www.aftermarketonline.net MARCH 2025 Keeping ahead of the hackers As Mercedes-Benz halts potential hackers from exploiting access to vehicles’ AI-powered infotainment systems, cybersecurity expert Jamie Akhtar tells Aftermarket the move is a wake-up call A report published in January by security researchers from cybersecurity giant Kaspersky said they had discovered a total of 13 vulnerabilities in the firstgeneration Mercedes-Benz User Experience (MBUX) infotainment system. The Kaspersky Security Services research revealed how some of the vulnerabilities could be exploited by hackers. Researchers claimed hackers could, if they had physical access to the vehicle, unlock paid services and even disable anti-theft protections. CEO and co-founder of CyberSmart, Jamie Akhtar, told Aftermarket the report is a stark reminder of the evolving attack surface presented by connected devices and embedded systems in modern vehicles. “This incident highlights the increasing convergence of cybersecurity and the automotive industry, where software vulnerabilities can expose both users and manufacturers to significant risks. “It underscores the urgency for robust security measures to be integrated at every stage of development, from design to deployment.” According to Akhtar, while this breach may focus on a specific vulnerability, it reflects a broader issue within the industry: the challenge of managing complex, interconnected systems. As vehicles become smarter, they also become more susceptible to exploitation, particularly when security is treated as an afterthought rather than a foundational principle. “Manufacturers must prioritise security-bydesign principles, ensuring regular patching, real-time monitoring, and rigorous testing protocols are in place to protect users and their data.” Akhtar said the incident should serve as a critical lesson for both automotive manufacturers and regulators. “In an age where vehicles are essentially computers on wheels, cybersecurity cannot be left to chance. It’s essential for the industry to adopt a proactive approach, collaborating with experts, adhering to best practices, and fostering transparency to build user trust and minimise the risks of future exploits.” Kaspersky said its report was based on analysis of the first generation MBUX. “Researchers used a combination of diagnostic tools, a certain hardware interface and a corresponding software application to communicate with the vehicle through the hardware device. This setup allowed us to establish communication over DoIP (Diagnostic Over Internet Protocol).” A spokesperson for Mercedes-Benz told Aftermarket the security of its products and services had a high priority to the car maker and it valued the work of researchers. “They can contact us via the Vulnerability Disclosure Program and provide information and findings in order to contribute to the development of even better and more secure products and services in addition to the company’s own experts.” According to MercedesBenz, a team of external security researchers contacted the firm in August 2022 regarding the first generation MBUX. “The topic described by the researchers requires physical access to the vehicle on site as well as access to the interior of the vehicle,” the spokesperson said. “In addition, the head unit has to be removed and opened. Newer versions of the infotainment system are not affected.” The vulnerabilities have all now been patched. In the UK, the National Franchised Dealers Association warned last October that the benefits of technological transformation in the automotive industry, including connected vehicles and autonomous driving systems, also came with cybersecurity risks. Modern cars are more than just machines, they are increasingly complex networks of software and data, connected to the internet and external systems, the NFDA said. “This connectivity opens the door to potential cyberattacks.
RkJQdWJsaXNoZXIy MjQ0NzM=