Unresolved Vulnerabilities in Mazda Connect Could Allow Hackers to Install Persistent Malware

November 8, 2024

Several unpatched vulnerabilities in the Mazda Connect infotainment system, found in various Mazda car models including the Mazda 3 (2014-2021), could allow attackers to execute arbitrary code with root permission. These security flaws could potentially impact the car's operation and safety by providing unrestricted access to vehicle networks.

The flaws were discovered in the Mazda Connect Connectivity Master Unit, a product of Visteon, which initially had its software developed by Johnson Controls. The researchers analyzed the latest firmware version (74.00.324A) and found no publicly reported vulnerabilities. However, the Connectivity Master Unit (CMU) has a community of users who modify the system to enhance its functionality, a process known as 'modding'. This process, however, relies on the exploitation of software vulnerabilities.

A report by Trend Micro's Zero Day Initiative (ZDI) highlighted the range of issues discovered, from SQL injection and command injection to the execution of unsigned code. To exploit these vulnerabilities, physical access to the infotainment system is required. As Dmitry Janushkevich, a senior vulnerability researcher at ZDI, explains, 'a threat actor could connect with a USB device and deploy the attack automatically within minutes.' Despite the requirement of physical access, unauthorized access is relatively easy to obtain, particularly in scenarios such as valet parking or during service at workshops or dealerships.

The report further warns that compromising a car's infotainment system using the disclosed vulnerabilities could lead to a range of consequences including database manipulation, information disclosure, creation of arbitrary files, injection of arbitrary OS commands leading to full system compromise, gaining persistence, and executing arbitrary code before the operating system boots.

By exploiting a specific vulnerability, CVE-2024-8356, an attacker could install a malicious firmware version, gain direct access to the connected controller area networks (CAN buses), and reach the vehicle's electronic control units (ECUs) for the engine, brakes, transmission, or powertrain. According to Janushkevich, the attack chain can be completed in just a few minutes, 'from plugging in a USB drive to installing a crafted update,' in a controlled environment. However, a targeted attack could also compromise connected devices and lead to denial of service, bricking, or ransomware.

Latest News

• CISA Issues Warning Over Exploitation of Critical Palo Alto Networks Vulnerability
• Critical RCE Vulnerabilities Identified in HPE's Aruba Networking Access Points
• SteelFox and Rhadamanthys Malware Exploit Copyright Scams and Driver Vulnerabilities to Attack Victims Globally
• Cisco Patches Severe Vulnerability in URWB Access Points
• ToxicPanda Android Botnet Attacks Banks in Europe and Latin America