← Vehicles
F

Mercedes-Benz MB.OS / MBUX

Fail
Mercedes-Benz · 🇩🇪 Germany · Cellular + WiFi + Bluetooth
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: Mercedes me
Manufacturer: Mercedes-Benz

⚠️ The bottom line

Mercedes left a GitHub token exposed that unlocked their entire internal source code — including cloud access keys, API credentials, and connected vehicle backend code. The keys to the kingdom, sitting in a misconfigured repository. The company building always-connected luxury cars couldn't secure its own source code. Mercedes installed the hardware for rear-wheel steering in your car, then charges $575/year to unlock it. Want your engine to accelerate like it was designed to? $1,200/year. The parts are there. The capability exists. Mercedes just flips a software switch when you pay. You bought a car. They sold you a subscription to the car you already own.

Legal jurisdiction
🇩🇪 Germany (headquarters)
GDPR (BfDI + 16 state DPAs) read more →
You can demand deletion, access, and portability. Germany has 17 enforcement bodies — strictest consent rules in EU
Spying
2/4 MODERATE
Is someone spying on me?
Data Sharing
1/4 LOW
Who gets my data?
Security
3/4 HIGH
Is it actually secure?
Honesty
1/4 LOW
Can I trust what they say?
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
3Contradictions
1Critical
2High
0Medium
3Sources
Findings by concern
Spying 2/4 MODERATE 1 finding
⚡ highprivacy policy vs third party research
Mercedes can collect your fingerprints, your voice, where you drive, how you drive, and infer your emotional state from cabin cameras. They can share it with advertisers. The privacy policy is 12 pages long. Mercedes says they need your emotions for "vehicle comfort." Advertisers need your emotions for targeting. Same data, different purpose, one collection.

What they claim: Mercedes privacy policy describes data collection for vehicle improvement and customer service

What we found: A 2023 Mozilla *Privacy Not Included* review found Mercedes-Benz can collect biometric data (fingerprints, voice), precise geolocation, driving behaviour, and emotional state inferred from in-cabin monitoring. Mercedes reserves the right to share data with third parties for advertising. Mozilla rated Mercedes among the worst car brands for privacy, noting the 12-page privacy policy was "absurdly long."

Security 3/4 HIGH 1 finding
⚠️ criticalmarketing vs regulatory
Mercedes left a GitHub token exposed that unlocked their entire internal source code — including cloud access keys, API credentials, and connected vehicle backend code. The keys to the kingdom, sitting in a misconfigured repository. The company building always-connected luxury cars couldn't secure its own source code.

What they claim: Mercedes-Benz promotes vehicle cybersecurity as a priority

What we found: In 2024, security researchers discovered a misconfigured GitHub token that exposed Mercedes-Benz's entire internal source code repository, including cloud access keys, internal API credentials, and design documents. The leak was discovered by RedHunt Labs and reported through responsible disclosure. The exposed repository included code for Mercedes's connected vehicle backend.

Honesty 1/4 LOW 1 finding
⚡ highmarketing vs third party research
Mercedes installed the hardware for rear-wheel steering in your car, then charges $575/year to unlock it. Want your engine to accelerate like it was designed to? $1,200/year. The parts are there. The capability exists. Mercedes just flips a software switch when you pay. You bought a car. They sold you a subscription to the car you already own.

What they claim: Mercedes-Benz promotes premium connected experience with MBUX infotainment

What we found: Mercedes introduced subscription fees for rear-wheel steering ($575/year) and acceleration boost ($1,200/year) — features that are hardware-present but software-locked. Following BMW's backlash, Mercedes positioned these as "optional performance upgrades." The car physically has the hardware. Mercedes sells software permission to use it.

Sources