New Mercedes-Benz HERMES 1 Vulnerability could allow attacker to physical access to device hardware

In Mercedes-Benz HERMES 1, an authentication bypass in the debug interface enables an attacker with physical access to computer hardware to acquire machine knowledge.

Monday, 16 November 2020, 06:16 GMT

Mercedes-Benz Vans eVito von Hermes


HERMES HERMES is a Telematics Control Unit and it is equipped in all Mercedes-Benz connected cars. The full name of it is Hardware for Enhanced Remote-, Mobility- & Emergency Services. It handles emergency calls, information calls, with support for remote diagnosis, local diagnosis, which can communicate with each ECU.

Besides, it is responsible for the Internet access function of the Head-Unit and supports 2.4GHz and 5GHz WLAN networking. The CAN transceiver is connected to the CAN bus 500k, and the LIN line is connected to the Airbag.

The core of HERMES is the communication module, which supports 3G & 4G network. The module can set up a wireless network for the Head-Unit, and the network could be Wi-Fi or Bluetooth. This solution is called OpenCPU in China. The performance of the communication module is higher than MCU, so it is responsible for calculating data and running the operating system. The primary operating system of the communication module is Linux, and the throughput performance of the module can meet the working requirements. Some 4G routers also use this solution. The communication module communicates with the MCU through the UART and is responsible for control instructions and software upgrades. SH2A MCU is responsible for managing peripheral chips, including LIN transceiver, CAN transceiver, and power management.