Mazdas Could Be Compromised in Minutes

Hackers could “achieve a complete and persistent compromise of the infotainment system.”

Mazda

Increasingly connected vehicles bring many benefits to drivers, but there are drawbacks as well.

A recent report has identified potential security flaws in Mazda’s in-vehicle infotainment system, raising alarm among users.

The cybersecurity group Zero Day Initiative points to the Mazda Connect Connectivity Master Unit (CMU) system as the source of an emergent issue. They say “multiple vulnerabilities” have been uncovered as part of the firm’s research. When used in conjunction, hackers could “achieve a complete and persistent compromise of the infotainment system.”

Zero Day details a scenario where a physically present attacker could exploit system vulnerabilities by connecting a “specially crafted” iPod or USB drive to target the system. If successfully breached, the results could be “arbitrary code execution with root privileges.”

Motortrend suggests that the Mazdas in question aren’t sophisticated enough to enable hackers to drive them remotely, though nefarious actors could still walk away with sensitive personal data. Not to mention, this point of compromise could endanger other connected devices, and hackers could use the CMU to gain access to passenger’s smartphones when they are connected to the vehicle.

Insufficient sanitization when handling attacker-supplied input is said to be at the root and Jeff Williams, founder and CTO of Contrast Security, stressed that “injection is everywhere.

“Every piece of data could contain an attack targeting any downstream systems that use that data,” Williams said in a statement. “Mazda should use runtime security testing to ensure they can track untrusted data and help developers use it safely.”

Zero Day experts noted that the entire attack chain could take place in the span of mere minutes, meaning a breach could occur while the vehicle is being handled by a valet, in a shop environment, or during a ride share.


More in Cybersecurity