Unpatched Mazda Connect bugs let hackers install persistent malware

Attackers could exploit several vulnerabilities in the Mazda Connect infotainment unit, present in multiple car models including Mazda 3 (2014-2021), to execute arbitrary code with root permission.

The security issues remain unpatched and some of them are command injection flaws that could be leveraged to obtain unrestricted access to vehicle networks, potentially impacting the car's operation and safety.

Vulnerability details

Researchers found the flaws in the Mazda Connect Connectivity Master Unit from Visteon, with software initially developed by Johnson Controls. They analyzed the latest version of the firmware (74.00.324A), for which there are no publicly reported vulnerabilities.

The CMU has its own community of users that modify it to improve functionality (modding). However, installing the tweaks relies on software vulnerabilities.

In a report yesterday, Trend Micro's Zero Day Initiative (ZDI) explains that the discovered problems vary from SQL injection and command injection to unsigned code:

CVE-2024-8355: SQL Injection in DeviceManager – Allows attackers to manipulate the database or execute code by inserting malicious input when connecting a spoofed Apple device. CVE-2024-8359: Command Injection in REFLASH_DDU_FindFile – Lets attackers run arbitrary commands on the infotainment system by injecting commands into file path inputs. CVE-2024-8360: Command Injection in REFLASH_DDU_ExtractFile – Similar to the previous flaw, it allows attackers to execute arbitrary OS commands through unsanitized file paths. CVE-2024-8358: Command Injection in UPDATES_ExtractFile – Allows command execution by embedding commands in file paths used during the update process. CVE-2024-8357: Missing Root of Trust in App SoC – Lacks security checks in the boot process, enabling attackers to maintain control over the infotainment system post-attack. CVE-2024-8356: Unsigned Code in VIP MCU – Allows attackers to upload unauthorized firmware, potentially granting control over certain vehicle subsystems.

Exploitability and potential risks

Exploiting the six vulnerabilities above, though, requires physical access to the infotainment system.

Dmitry Janushkevich, senior vulnerability researcher at ZDI, explains that a threat actor could connect with a USB device and deploy the attack automatically within minutes.

Despite this limitation, the researcher notes that unauthorized physical access is easily obtainable, especially in valet parking and during service at workshops or at dealerships.

According to the report, compromising a car's infotainment system using the disclosed vulnerabilities could allow database manipulation, information disclosure, creating arbitrary files, injecting arbitrary OS commands that could lead to full compromise of the system, gaining persistence, and executing arbitrary code before the operation system boots.

By exploiting CVE-2024-8356, a threat actor could install a malicious firmware version and gain direct access to the connected controller area networks (CAN buses) and reach the vehicle's electronic control units (ECUs) for the engine, brakes, transmission, or powertrain.

Janushkevich says that the attack chain takes just a few minutes, "from plugging in a USB drive to installing a crafted update," in a controlled environment. However, a targeted attack could also compromise connected devices and lead to denial of service, bricking, or ransomware.