Merc Jacked in 30 Minutes!!!!!!!!!!!

Gaining access to a merc-mini is "easy pickings," according to an individual who won a carjacking challenge last month by gaining control of a machine using an unpublished security system vulnerability.

On February 22, a Sweden-based car enthusiast on holiday in Australia parked his Merc-Mini rental in the service lane of a seedy suburban street and invited car-jackers to break through the car's security and gain control, which would allow the jacker to take charge of the car, drive it, remove wheels and badges or even install some truly sic mag wheels.

Within hours of going live, the "rm-my-merc" competition was over. The challenger posted this message on the cars windscreen: "This SUX. Six hours later dis poor little merc waz owned and dis windscreen got defaced". The jacker that won the challenge, who asked CrapzNet Oz to identify him only as "TwerpA", said he gained control of the Merc in less than 30 minutes.

"Yeah, m-a-a-a-te, like it probably took about 20 or 30 minutes to get control of the shitbox, like. Initially I tried looking around the vehicle for certain gaps in the side windows and other obvious gaps that I could get a coat-hanger down to unlatch the doors. Then I tried a screwdriver in the lock. But after about 20 minutes I realised that the doors were unlocked so like I decided to use some "unpublished exploits" like, um, using the door handle. Ma-a-a-ate there are heaps of these types of "unpublished" exploits for the little merc mini. Ya, know they is a secret between da boyz an' me." TwerpA told CrapzNet Oz . "Den, like it only took me anudder ten or so minutes to realise dat da keyz were sittin' on da driverz seat. Man, after I picked dat up, I owned dat machine, man!" said TwerpA enthusiastically.

According to TwerpA, the jacked merc could have been better protected, but it would not have stopped him because he exploited a vulnerability that has not yet been made public or fixed by the manufacturer. "An' besides, I am da MAN. Who's da man? I'M DA MAN" TwerpA proclaimed modestly.

'The "rm-my-merc" challenge was setup similar to how you would leave your mini if da drive-thru were closed and you had ta run inside ta pick-up your maccaz, with the boot open, the boom box booming, and fluoros flashing, while da girlz were makin' use of da "services" in da restaurant. So yeah, there was some local access to users, like. There are various merc hardening guides out there that could have been used to harden da machine, however, it wouldn't have stopped the vulnerability I used to gain access.' TwerpA told CrapzNet Oz.

"There are only limited things you can do with unknown and unpublished vulnerabilities like havin' da doors unlocked and da keys on da driver's seat." TwerpA concluded that the merc contains "easy pickings" when it comes to vulnerabilities that could allow jackers to break into the merc's operating systems. "The merc mini is easy pickings for me and da homies. Dat said, it doesn't have the market share to really interest most serious jackers like uzz" added TwerpA.