Article Details

Unpatched Mazda Connect bugs let hackers install persistent malware. Attackers could exploit several vulnerabilities in the Mazda Connect infotainment unit, present in multiple car models including Mazda 3 (2014-2021), to execute arbitrary code with root permission. The security issues remain unpatched and some of them are command injection flaws that could be leveraged to obtain unrestricted access to vehicle networks, potentially impacting the car's operation and safety. Vulnerability details Researchers found the flaws in the Mazda Connect Connectivity Master Unit from Visteon, with software initially developed by Johnson Controls. They analyzed the latest version of the firmware (74.00.324A), for which there are no publicly reported vulnerabilities. The CMU has its own community of users that modify it to improve functionality (modding). However, installing the tweaks relies on software vulnerabilities. In a report yesterday, Trend Micro's Zero Day Initiative (ZDI) explains that the discovered problems vary from SQL injection and command injection to unsigned code: Exploitability and potential risks Exploiting the six vulnerabilities above, though, requires physical access to the infotainment system. Dmitry Janushkevich, senior vulnerability researcher at ZDI, explains that a threat actor could connect with a USB device and deploy the attack automatically within minutes. Despite this limitation, the researcher notes that unauthorized physical access is easily obtainable, especially in valet parking and during service at workshops or at dealerships. According to the report, compromising a car's infotainment system using the disclosed vulnerabilities could allow database manipulation, information disclosure, creating arbitrary files, injecting arbitrary OS commands that could lead to full compromise of the system, gaining persistence, and executing arbitrary code before the operation system boots. By exploiting CVE-2024-8356, a threat actor could install a malicious firmware version and gain direct access to the connected controller area networks (CAN buses) and reach the vehicle's electronic control units (ECUs) for the engine, brakes, transmission, or powertrain. Janushkevich says that the attack chain takes just a few minutes, "from plugging in a USB drive to installing a crafted update," in a controlled environment. However, a targeted attack could also compromise connected devices and lead to denial of service, bricking, or ransomware.