6 Infotainment Bugs Allow Mazdas to Be Hacked With USBs
Direct cyberattacks on vehicles are all but unheard of. In theory, though, the opportunity is there to cause real damage — data extraction, full system compromise, even gaining access to safety-critical systems.
Six unpatched vulnerabilities in a Mazda in-vehicle infotainment (IVI) system could be exploited with a simple USB in a moments time, and one of them has legitimate consequences to vehicle safety.
These days, cars are just computers on wheels, and IVIs are their user interface. The IVI in most Mazda vehicles of recent years — like the Mazda3 and CX-3, 5, and 9 — are built with the Mazda Connect Connectivity Master Unit (CMU), developed by the Michigan-based Visteon Corporation. The CMU is a core hardware component that enables various connectivity services: smartphone integration, a Wi-Fi hotspot, and various remote monitoring and control features.
Recent research through Trend Micros Zero Day Initiative (ZDI) has surfaced half a dozen
vulnerabilities in the Mazda IVI
. A few of them enable full system compromise, and access to various sensitive data. One of particular note could enable an attacker to pivot to the vehicles
Controller Area Network (CAN) bus
— the central nervous system connecting its various component parts.
None of the vulnerabilities have been assigned a value according to the Common Vulnerability Scoring System (CVSS) yet. All of them remain unpatched as of this writing. On the plus side: They all require that an attacker physically insert a malicious USB into the center console. Such a scenario — carried out by a carjacker, or possibly a valet or dealer — is essentially unheard of in the real world to date.
Dark Reading has reached out to Visteon for further comment on this story.
Three of the vulnerabilities — CVE-2024-8358, CVE-2024-8359, and CVE-2024-8360 — target functions used to locate and extract specific files during software updates. Because the provided file path is not sanitized, an attacker can step in with their own malicious injection, which gets executed at the root level of the system. With a specially crafted command, this one-step hack could facilitate a full system takeover.
Another way to skin this cat would be to take advantage of CVE-2024-8357, affecting the CMUs System on Chip (SoC) running Linux. The SoCs boot process has no authentication in place, so an attacker with the ability to execute code can take advantage to manipulate files, establish persistence through reboots, and establish control over the system even before it boots up.
CVE-2024-8355 might seem at first a bit different from the rest but, in reality, its caused by the same underlying problem: lack of sanitization of input data.
To establish a connection with an Apple device, the CMU will request the devices serial number. Because it doesnt apply scrutiny to that value, a spoofed device can send specially crafted SQL code instead. The systems DeviceManager will run that code at the root level, enabling all kinds of malicious outcomes: database exposure, arbitrary file creation, etc.
Last, but certainly not least, is CVE-2024-8356, a missing verification during the CMU software update process. This one, however, affects the units other processor, the Verification IP Microcontroller Unit (VIP MCU). The VIP MCU is designed to be separate from the SoC for security purposes, because instead of running the operating system, it connects to the vehicles CAN bus. The CAN bus, in turn, connects the rest of the vehicle: everything from climate control to the engine and airbags. With a tampered firmware image, ZDI demonstrated that one can jump the SoC to manipulate the VIP MCU, and from there reach the CAN bus.
In truth, its hard to predict what an attacker could do once they have access to a CAN bus, says Dustin Childs, head of threat awareness at ZDI. Since the CAN bus serves as the nervous system of the vehicle, a threat actor could potentially impact whatever electronic control units (ECUs) or components that interact with the CAN bus. Translation: Attackers can subvert just about any conceivable part of the vehicle.
The worst case scenario would be an attacker impacting the driving characteristic of the car, rendering it unsafe to operate, he adds.
Still, the threat is immaterial. For all of the exploits demonstrated by researchers, actual criminals still consistently stick to those older tried-and-true methods of compromise: a stolen set of keys; an unfurled clothes hanger slipped artfully in between a window and a door frame; or a rock, a window, and a good baseball toss.
At this point, there isnt a lot of real-world impact, Childs admits. However, as cars become more connected,
remote exploitation becomes more realistic
. In the last Pwn2Own Automotive, the team from Synacktiv
exploited the modem of the Tesla Model 3
over-the-air to reach and interact with the onboard systems of the vehicle. Its just a matter of time until a complete, remote vehicle takeover becomes a real possibility.
He adds, Thats why manufacturers should build in security to each component and not rely on the defenses of other modules. A vehicle should have a multilayered protective system that assumes every message may be from a compromised source. The more we get ahead of the problem now, the easier it will be to react to it in the future.
Dont miss the upcoming free
Dark Reading Virtual Event
, Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors, Nov. 14 at 11 am ET.
Dont miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larson from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia.
Register now!
Tags:
6 Infotainment Bugs Allow Mazdas to Be Hacked With USBs