Car Hacking - Analysis of the Mercedes Connected Vehicle API

Car Hacking

Analysis of the Mercedes Connected Vehicle API

Marc Ruef
by Marc Ruef
time to read: 22 minutes

Keypoints

  • Many modern car manufacturers offer Internet functions in their vehicles
  • In early 2018, Mercedes made an experimental API available
  • As with OBD, it can read vehicle and telemetry data
  • It also allows the vehicle’s current position to be determined
  • Certain interactions, such as opening the vehicle, are also available
  • This harbors certain risks in the areas of privacy and security

People used to talk about the computer in the car, but now they’re talking about a computer on four wheels. A number of manufacturers offer communication with their vehicles through the Internet. This article looks at the options that Mercedes provides in its Connected Vehicle API, recently released in an experimental version.

Connected Vehicle API

Mercedes offers various APIs. These are primarily found in the area of data-based connections that offer purchasers a Car Configurator or vehicle images.

But January 2018 brought something new – the Connected Vehicle API – still in the experimental phase. This is a means of access through the optional extra Remote Online (11U), which can be used to access status information and telemetry data from networked vehicles using REST. The official Mercedes me app also uses this interface (some of it in a slightly modified and expanded form).

There are extra charges for many of the functions, which must be activated as a Mercedes me connect service for a certain period. In addition, usage requires initial approval through the me.secure.mercedes-benz.com page. At present, the opportunities presented by API are only tentatively applied and correspondingly limited. But there are already signs that more functionality will be possible in future versions and vehicle models.

Overview of the Mercedes me app

Communication channels of the Mercedes API


Authentication

Mercedes authenticates the API through OAuth 2.0. This is a procedure standardized in RFC 6749, which is now deployed in various API implementations. Authentication is traditionally carried out using an initial authorization header. For this, the Client ID (user name) and Client Secret (password) must be sent in an HTTP POST request:

curl --request POST \
  --url https://api.secure.mercedes-benz.com/oidc10/auth/oauth/v2/token \
  --header 'Authorization: Basic <YOUR_CLIENT_ID>:<YOUR_CLIENT_SECRET>' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=authorization_code&code=d0c8b2d3-367e-466b-80b5-45b66172219c&redirect_uri=https%3A%2F%2Ftest.scip.ch'

The server then returns the individual access_token:

{
  "access_token":"1f8647f3-5f86-4b5e-8687-982fd620ef78",
  "token_type":"Bearer",
  "expires_in":3600,
  "refresh_token":"79850753-16ad-48cf-aae7-7e17a4d4882d",
  "scope":"mb:vehicle:status:general mb:user:pool:reader"
}

After this exchange, it can be used to send HTTP GET requests to the API end-point in authenticated form through the header authorization:

curl --request GET \
  --url https://<API_URL> \
  --header 'authorization: Bearer e253fdd3-67f1-4dcc-bcd6-9f9c9278fe6f'

The access token must be regularly refreshed. At the beginning, its expiry date is shown in seconds in the field expires_in. The token is renewed through the refresh_token. This is intended to limit misuse by third parties, such as through successful sniffing or brute-force attacks.

Accessing the vehicle

To begin with the vehicle can only be registered and activated through an authorized Mercedes dealer, so when initialization of a communication begins, the vehicle must be accessed. This is carried out via vehicles:

curl -X GET \
  https://api.mercedes-benz.com/experimental/connectedvehicle/v1/vehicles \
  -H 'Authorization: Bearer YOUR_ACESS_TOKEN' \
  -H 'Content-Type: application/json'

This returns the vehicles assigned to the user account using id, registered plates licenseplate, and the VIN (Vehicle Identification Number) finorvin:

[
    {
        "id": "YOUR_VEHICLE_ID",
        "licenseplate": "ZH-XXXX",
        "finorvin": "WDD***********123"
    }
]

Now that the vehicle is unambiguously identified, you can carry out further functions. That includes assigning multiple vehicles to a single account (for managing a fleet, for instance). Access within the API is largely carried out through id.

Reading data

With the vehicle identified through the id, we can now access it directly and, as a first step, read data. The id must be sent as a parameter:

curl -X GET \
  https://api.mercedes-benz.com/experimental/connectedvehicle/v1/vehicles/YOUR_VEHICLE_ID \
  -H 'Authorization: Bearer YOUR_ACESS_TOKEN' \
  -H 'Content-Type: application/json'

The response will contain the basic data for the vehicle. That includes the designation used in the sale salesdesignation, the year modelyear, color colorname, and engine type fueltype:

{
    "id": "YOUR_VEHICLE_ID",
    "licenseplate": "ZH-****",
    "salesdesignation": "***",
    "finorvin": "WDD***********123",
    "nickname": "Hans Muster",
    "modelyear": "2018",
    "colorname": "polarweiss",
    "fueltype": "Benzin",
    "powerhp": "612",
    "powerkw": "450",
    "numberofdoors": "5",
    "numberofseats": "5"
}

This function only has read rights. It doesn’t allow modifications to documentation (e.g. changing the model year) or vehicle characteristics (e.g. lifting the HP limit).

Reading dedicated telemetry data

As a subsequent step, there is the option of reading all telemetry data. This can include individual elements such as tires, odometer, and fuel:

curl -X GET \
  https://api.mercedes-benz.com/experimental/connectedvehicle/v1/vehicles/YOUR_VEHICLE_ID/fuel \
  -H 'Authorization: Bearer YOUR_ACESS_TOKEN' \
  -H 'Content-Type: application/json'

The response includes the corresponding information, with the value in the value field with a corresponding unit. In the following example, the fuel level is at 40%:

{
    "fuellevelpercent": {
        "value": 40,
        "retrievalstatus": "VALID",
        "timestamp": 1512747873,
        "unit": "PERCENT"
    }
}

This procedure is seen in the options supplied by OBD (on-board diagnosis). The same vehicle diagnostic data can be read by physically attaching a corresponding device.

For non-networked cars – older makes, for instance – Mercedes offers the Mercedes me Adapter, which includes the Mercedes me Adapter app, in order to retrofit the same functionality.

Reading all data

The official API doesn’t document any further commands. That’s because dynamic can gather all information, including additional data, with a single request:

curl -X GET \
  https://api.mercedes-benz.com/experimental/connectedvehicle/v1/vehicles/YOUR_VEHICLE_ID/dynamic \
  -H 'Authorization: Bearer YOUR_ACESS_TOKEN' \
  -H 'Content-Type: application/json'

This is rigorously used throughout the official Mercedes me app on a smartphone when opening the app, for instance. This enables the display data to be prepared:

{
    "dynamic":{
        "readingLampFrontRight":{
            "value":false,
            "status":"VALID"
        },
        "precondSeatFrontRight":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "preWarningBrakeLiningWear":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "remoteEngine":{
            "value":"OFF",
            "status":"INVALID"
        },
        "vehicleHealthStatus":{
            "value":0,
            "status":"VALID"
        },
        "smartCharging":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "drivenTimeStart":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "fuelLidClosed":{
            "value":true,
            "status":"VALID"
        },
        "tankReserveLamp":{
            "value":false,
            "status":"VALID"
        },
        "socprofile":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "maxrange":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "batteryState":{
            "value":0,
            "status":"VALID"
        },
        "liquidRangeSkipIndication":{
            "value":false,
            "status":"VALID"
        },
        "tirepressureRearRight":{
            "value":273,
            "status":"VALID"
        },
        "tireMarkerRearLeft":{
            "value":false,
            "status":"VALID"
        },
        "languageHU":{
            "value":0,
            "status":"VALID"
        },
        "batteryCutOffSwitch":{
            "value":null,
            "status":"NOT_RECEIVED"
        },
        "lastecall":{
            "value":null,
            "status":"NOT_RECEIVED"
        },
        "distanceElectricalStart":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "departureTimeMode":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "parkbrakestatus":{
            "value":true,
            "status":"VALID"
        },
        "gasTankLevel":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "precondNowError":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "rangeelectric":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "tireMarkerRearRight":{
            "value":false,
            "status":"VALID"
        },
        "windowstatusrearright":{
            "value":"CLOSED",
            "status":"VALID"
        },
        "serviceintervaldays":{
            "value":345,
            "status":"VALID"
        },
        "engineCoolantTemperature":{
            "value":null,
            "status":"NOT_RECEIVED"
        },
        "windowstatusrearleft":{
            "value":"CLOSED",
            "status":"VALID"
        },
        "electricalRangeSkipIndication":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "endofchargetime":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "kmatrixver":{
            "value":"2015/05/-/2.0/diag",
            "status":"VALID"
        },
        "windowsClosed":{
            "value":"CLOSED",
            "status":"VALID"
        },
        "auxheattimeselection":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "odo":{
            "value":772,
            "status":"VALID"
        },
        "warninglowbattery":{
            "value":false,
            "status":"VALID"
        },
        "icA13":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "tirewarninglamp":{
            "value":"INACTIVE",
            "status":"VALID"
        },
        "icA14":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "precondDuration":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "electricconsumptionreset":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "precondatdeparture":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "temperatureUnitHU":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "engineOilTemperature":{
            "value":null,
            "status":"NOT_RECEIVED"
        },
        "trunkLocked":{
            "value":true,
            "status":"VALID"
        },
        "averageSpeedReset":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "ecoscoreconst":{
            "value":87,
            "status":"VALID"
        },
        "engineLimpHomeMode":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "trunkClosed":{
            "value":true,
            "status":"VALID"
        },
        "supplybatteryvoltage":{
            "value":14.6,
            "status":"VALID"
        },
        "doorsClosed":{
            "value":true,
            "status":"VALID"
        },
        "electricChargingStatus":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "ecoscoretotal":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "rearLeftDoorClosed":{
            "value":true,
            "status":"VALID"
        },
        "warningbrakeliningwear":{
            "value":false,
            "status":"VALID"
        },
        "distanceZEStart":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "tirepressscope":{
            "value":"TIRE_PRESSURE_CONTROL",
            "status":"VALID"
        },
        "interiorLightsFront":{
            "value":false,
            "status":"VALID"
        },
        "tirewarningsrdk":{
            "value":"NO_WARNING",
            "status":"VALID"
        },
        "rangeliquid":{
            "value":142,
            "status":"VALID"
        },
        "precondNow":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "chargingPower":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "drivenTimeReset":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "auxheattime1":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "lightswitchposition":{
            "value":"AUTO",
            "status":"VALID"
        },
        "averageSpeedStart":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "auxheattime2":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "auxheattime3":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "gasconsumptionstart":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "interiorLightsRear":{
            "value":false,
            "status":"VALID"
        },
        "gasTankRange":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "ecoscorefreewhl":{
            "value":100,
            "status":"VALID"
        },
        "rearRightDoorLocked":{
            "value":true,
            "status":"VALID"
        },
        "distanceStart":{
            "value":24.5,
            "status":"VALID"
        },
        "soc":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "departureProfile":{
            "value":"NONE",
            "status":"VALID"
        },
        "gasconsumptionreset":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "distanceReset":{
            "value":771.7,
            "status":"VALID"
        },
        "windowstatusfrontleft":{
            "value":"CLOSED",
            "status":"VALID"
        },
        "tankCapOpenLamp":{
            "value":null,
            "status":"NOT_RECEIVED"
        },
        "speedUnitFromIC":{
            "value":null,
            "status":"NOT_RECEIVED"
        },
        "frontLeftDoorLocked":{
            "value":true,
            "status":"VALID"
        },
        "tirepressureRearLeft":{
            "value":273,
            "status":"VALID"
        },
        "locked":{
            "value":true,
            "status":"VALID"
        },
        "timeFormatHU":{
            "value":true,
            "status":"VALID"
        },
        "liquidconsumptionstart":{
            "value":6.4,
            "status":"VALID"
        },
        "maintenance1Ar":{
            "value":"AAAAAAAAAAA=",
            "status":"VALID"
        },
        "departuretimesoc":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "distanceZEReset":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "tirewarningsprw":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "serviceWarning":{
            "value":null,
            "status":"NOT_RECEIVED"
        },
        "precondSeatFrontLeft":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "tireMarkerFrontRight":{
            "value":false,
            "status":"VALID"
        },
        "drivenTimeZEReset":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "serviceintervaldistance":{
            "value":null,
            "status":"INVALID"
        },
        "readingLampFrontLeft":{
            "value":false,
            "status":"VALID"
        },
        "precondActive":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "ecoscorebonusrange":{
            "value":5.8,
            "status":"VALID"
        },
        "sunroofEvent":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "rearLeftDoorLocked":{
            "value":true,
            "status":"VALID"
        },
        "liquidconsumptionreset":{
            "value":7.8,
            "status":"VALID"
        },
        "warningbrakefluid":{
            "value":false,
            "status":"VALID"
        },
        "departureTimeUtc":{
            "value":null,
            "status":"VALID"
        },
        "precondimmediate":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "windowstatusfrontright":{
            "value":"CLOSED",
            "status":"VALID"
        },
        "maintenance2Ar":{
            "value":"AAAAAAAAAAA=",
            "status":"VALID"
        },
        "electricconsumptionstart":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "collisionAlarmTimestamp":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "trackingStateHU":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "warningenginelight":{
            "value":false,
            "status":"VALID"
        },
        "ignitionstate":{
            "value":"LOCK",
            "status":"VALID"
        },
        "precondSeatRearLeft":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "frontRightDoorClosed":{
            "value":true,
            "status":"VALID"
        },
        "rooftopstatus":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "currentSpeedFromIC":{
            "value":null,
            "status":"NOT_RECEIVED"
        },
        "warningwashwater":{
            "value":false,
            "status":"VALID"
        },
        "sunroofstatus":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "tirepressureFrontRight":{
            "value":278,
            "status":"VALID"
        },
        "precondSeatRearRight":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "auxheatwarnings":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "tirepressureFrontLeft":{
            "value":280,
            "status":"VALID"
        },
        "auxheatruntime":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "chargingactive":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "rearRightDoorClosed":{
            "value":true,
            "status":"VALID"
        },
        "warningcoolantlevellow":{
            "value":false,
            "status":"VALID"
        },
        "frontRightDoorLocked":{
            "value":true,
            "status":"VALID"
        },
        "drivenTimeZEStart":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "ecoscoreaccel":{
            "value":91,
            "status":"VALID"
        },
        "departuretime":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "tanklevelpercent":{
            "value":15,
            "status":"VALID"
        },
        "frontLeftDoorClosed":{
            "value":true,
            "status":"VALID"
        },
        "auxheatstatus":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "precondError":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "vtime":{
            "value":1520324215,
            "status":"VALID"
        },
        "collisionAlarmHappened":{
            "value":null,
            "status":"NOT_AVAILABLE"
        },
        "tireMarkerFrontLeft":{
            "value":false,
            "status":"VALID"
        },
        "preconditionActive":{
            "value":false,
            "status":"INVALID"
        },
        "tireWarningRollup":{
            "value":false,
            "status":"VALID"
        },
        "distanceElectricalReset":{
            "value":null,
            "status":"NOT_AVAILABLE"
        }
    },
    "aggregated":{
        "lastJourney":{
            "vin":"WDD***********123",
            "duration":2018,
            "distance":24,
            "started":1520322165,
            "averageSpeed":43.0
        }
    }
}

Vehicle location

There is also the option of carrying out geolocation of the vehicle (at an extra charge). This is accessed through location:

curl -X GET \
  https://api.mercedes-benz.com/experimental/connectedvehicle/v1/vehicles/YOUR_VEHICLE_ID/location \
  -H 'Authorization: Bearer YOUR_ACESS_TOKEN' \
  -H 'Content-Type: application/json'

The response includes the longitude and latitude (which is not in fact the standard order used in EPSG:4326). It also includes the field heading, which returns the orientation of the vehicle in degrees. North is 0.0, and south is correspondingly 180.0. This is particularly useful when it comes to identifying the direction of travel.

{
    "heading":258.0,
    "longitude":8.491945,
    "latitude":47.385757999999996
}

The Mercedes me app uses this information to display the location of the vehicle on a dynamic map. This is a useful feature for finding your way back to a parking spot, for instance.

There is also the option of activating geofencing (currently only through the website). This can raise an alarm if the vehicle leaves a pre-defined area.

The present position is automatically communicated through the vehicle itself. A request through the corresponding API or app is not feasible for the vehicle. For example, there is no warning notification sent to the driver.

Location displayed in the Mercedes me app

Triggering actions

There is the option of triggering actions within narrowly defined limits. This primarily relates to unlocking and locking the car. Here, the doors are given the command unlock or lock. Actions are triggered through HTTP POST requests.

curl -X POST \
  https://api.mercedes-benz.com/experimental/connectedvehicle/v1/vehicles/YOUR_VEHICLE_ID/doors \
  -H 'Authorization: Bearer YOUR_ACESS_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{"command" : "LOCK"}'

It takes a few seconds for the asynchronous command to reach the car, and for it to execute and confirm. During this time, the status INITIATED (phase 1) and then the status PENDING (phase 2) are returned:

{
    "status":"PENDING",
    "errors":null,
    "data":null
}

If the action was successfully executed (phase 3), all telemetry data is transferred again as it is with the request dynamic. But the difference is that the response includes both status as well as any errors for the executed action (abridged):

{
    "status":"SUCCESS",
    "errors":null,
    "data":{
        "readingLampFrontRight":{
            "value":false,
            "status":"VALID"
        },
        (...)

The user is informed through various channels that the door is open – push notification to the smartphone via the Mercedes me app, and notification via email to the registered address. This message includes the present state of the vehicle doors:

The Mercedes me connect door locking function unlocked the vehicle on 08.03.2018 at 14:12:32. 

The last known status of the vehicle doors was:
No doors open.

The current status of the doors can be viewed in the Mercedes me connect app or by visiting the website at https://connect.mercedes.me.

Models from E-class onward have also offered a Remote Parking Pilot since 2016. This automatically gets the vehicle in and out of narrow and awkward parking spots.

Potential attacks

Networked vehicles, particularly those with always-on functionality, were met with skepticism when they were launched on the market – and with good reason. Expanded functionality offers expanded potential for attack.

App: DoS, sniffing, replay, and injection

The networked Mercedes me app on the smartphone communicates with the Mercedes server systems. This communication is carried out via HTTPS. As we illustrate in the analysis included here, it is possible to break into this communication. It looks like key pinning is being carried out as part of the authentication. This step could not be readily read. However, once the communication is authenticated, the data exchange can be interrupted, read, and manipulated with a normal web proxy.

Consequently, communication can be interrupted with destructive attacks, through flooding or redirects. When reading vehicle and telemetry data in normal daily use, this would be highly aggravating at most. But if someone were to use the app to then lock the vehicle, this locking would have to be prevented (denial of service). This could in turn make theft possible, or easier.

Once the authentication is successfully carried out and this or later communications are read, the attacker may continue as desired. A replay attack can be carried out by simulating the access token, at least until the authentication has to be refreshed. Presently, the API requires re-authentication after 60 minutes.

Vehicle: Other vulnerabilities and privacy

Vehicles connected to the Internet are naturally exposed to further vulnerabilities. They are constantly accessible, and must be able to process and respond to requests. It is conceivable that programming and logical errors may lead to a vulnerability being exploited.

Networked cars must be treated like mobile computers, as with the Internet of Things (IoT). They will have to struggle with the same problems we have seen in webcams and medical devices, at least in the near future.

By contrast, the automotive industry is moving toward additional safety standards, which will also have a positive effect on the security of the vehicles in question. We can expect to see manufacturers making security patches and updates available over a relatively long period. But what happens as soon as a vehicle or its computer technology is considered as end-of-life (EOL)? That is something we will have to find out in the future. The hope is that legislators will bring in fair standards both for dealers and manufacturers.

In general, the always-on principle involves a loss of privacy. Car manufacturers know at any moment where the vehicle is located. It can also access status information. And, if necessary, it can even deactivate functions. This last eventuality may happen for safety reasons – if there is a risk factor discovered in a component, for instance. But it may also happen because they suddenly no longer wish to support certain functions. As each new firmware version is automatically installed, there is the risk that it may contain an inadvertent “disimprovement”. For fully automated updates in particular, this may lead to nasty surprises.

Research outlook

The issue of car hacking remains interesting to us as a company. Our Titanium research division is currently working on different aspects of this complex issue.

The security technology analysis of sensors and logic has lost none of its topicality. Increased functionality offers increased vulnerabilities, which can be used to attackers’ own advantage in various different scenarios. As well as OBD, the very online services described here have also become of interest in recent years. In this field, there are many points that have not been sufficiently investigated, if at all.

As part of our research in the area of artificial intelligence, we will be investigating the technical, psychological, and sociological aspects of integrated speech assistants, as well as integration via Amazon Alexa, among other things.

Conclusion

All major car manufacturers now offer networking for their vehicles. Mercedes uses the Mercedes me app to read vehicle and telemetry data. This also allows some individual actions, such as opening the locking mechanism. This is achieved through standard technologies such as HTTP, REST, OAuth, and JSON.

Additional options are associated with additional risks. For one, the app or app communications may be attacked. Or the networked car expands to include vulnerabilities, some of them permanent.

At present, the limited options in the API prevent the worst outcomes. But it is conceivable that more functionality will be available through this networking in the future. This development must be viewed skeptically, and the highest requirements placed on vehicle security. Here, legislators must establish fair and sustainable solutions both for consumers and manufacturers in the interests of safety and security.

About the Author

Marc Ruef

Marc Ruef has been working in information security since the late 1990s. He is well-known for his many publications and books. The last one called The Art of Penetration Testing is discussing security testing in detail. He is a lecturer at several faculties, like ETH, HWZ, HSLU and IKF. (ORCID 0000-0002-1328-6357)

Links

You want to evaluate or develop an AI?

Our experts will get in contact with you!

×
Specific Criticism of CVSS4

Specific Criticism of CVSS4

Marc Ruef

scip Cybersecurity Forecast

scip Cybersecurity Forecast

Marc Ruef

Voice Authentication

Voice Authentication

Marc Ruef

Bug Bounty

Bug Bounty

Marc Ruef

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here