Researchers have discovered six unpatched vulnerabilities in Mazda’s in-vehicle infotainment system, the Mazda Connect Connectivity Master Unit (CMU). The affected system is present in a range of Mazda models from 2014 to 2021, including the Mazda3, CX-3, CX-5, and CX-9. The vulnerabilities were identified by Trend Micro’s Zero Day Initiative (ZDI) and could allow attackers to run arbitrary code with root access to the vehicle’s infotainment system.
The main issue stems from insufficient sanitization when the system processes external input, leading to OS command injection vulnerabilities. To exploit these flaws, an attacker would need physical access to the vehicle for just a few minutes. By inserting a specially crafted USB drive containing a malicious file with a “.up” extension, the system would automatically trigger an update and execute the attacker’s commands without further user interaction.
Mazda infotainment vulnerabilities and risks
The potential consequences of a successful attack are severe. An attacker could gain full control over the infotainment system, potentially leading to denial of service, compromising connected devices, or even installing ransomware.
In more serious cases, the attacker could manipulate the vehicle’s root file system or install backdoored components, which could impact vehicle operation and safety. Dustin Childs, head of threat awareness at ZDI, emphasized the importance of multi-layered security systems in vehicles, stating, “The more we get ahead of the problem now, the easier it will be to react to it in the future.”
Despite the severity of these vulnerabilities, Mazda has not yet released patches to address them. A Mazda spokesperson commented, “Mazda is aware of the vulnerabilities described.
Although Mazda refrains from detailing specific measures, we are continuing to develop technologies and implement countermeasures to remedy these vulnerabilities in order to protect customer safety and assets.
This incident highlights the growing importance of cybersecurity in the automotive industry and the need for more rigorous safety protocols in the development of automotive infotainment systems.
