2014-2021 Mazdas vulnerable: attackers can take over infotainment system using USB


Multiple vulnerabilities plague Mazda’s in-vehicle infotainment systems, according to Trend Micro’s Zero Day Initiative (ZDI). Malicious actors can exploit these flaws to run any arbitrary code with root access.

ZDI discovered six vulnerabilities in the Mazda Connect Connectivity Master Unit (CMU) system, which was used in many car models, including the Mazda 3, from 2014 to 2021. The flaws affect the latest software version and remain unpatched.

“All the attacker needs to do is create a file on a FAT32-formatted USB mass storage device where the name will contain the OS commands to be executed,” security researcher Dmitry Janushkevich said in a report.

ADVERTISEMENT

The attacker needs just a few minutes of physical access to plug a malicious USB device into the car’s infotainment system. Vehicles would be the most vulnerable during ride-sharing, valet parking, or visits to unauthorized service centers.

Successful exploitation could compromise safety, cause denial of service, enable attempts to compromise connected devices, and even facilitate ransomware.

mazda-infotainment
Image by Zero Day Initiative.

The researcher assesses that OS command injection vulnerabilities are caused “by insufficient sanitization when handling attacker-supplied input.” The software update installation of the analyzed unit can be automatically triggered by connecting a USB mass storage device, making exploitation relatively straightforward.

“The filename must end with .up for it to be recognized by the software update handling code,” the report explains. “There are no specific exploitation requirements such as the validity of the crafted update file.”

An attacker can then manipulate the root file system for persistence by installing backdoored system components.

Niamh Ancell BW Female author Paulius Grinkevicius Konstancija Gasaityte profile
Don’t miss our latest stories on Google News

“Furthermore, the attacker can move laterally and install a specially crafted VIP microcontroller software allowing unfettered access to vehicle networks, potentially impacting vehicle operation and safety,” Janushkevich warns.

ADVERTISEMENT

“Specific impacts (what could be controlled and how) were not investigated during this research effort.”

The report highlights that even a very mature automotive product with a long history of security fixes can be highly vulnerable, plagued with programming errors and security design flaws.

The researcher analyzed a CMU unit manufactured by Visteon, its software was initially developed by Johnson Controls Inc (JCI).