Unpatched Vulnerabilities in Mazda Infotainment Systems Pose Serious Security Risks

Mazda vehicles equipped with certain infotainment systems are now facing critical cybersecurity threats. Trend Micro’s Zero Day Initiative (ZDI) has revealed that multiple vulnerabilities in Mazda’s Connect Connectivity Master Unit (CMU) could allow hackers to execute arbitrary code, potentially gaining root privileges over the system. This announcement underscores the need for robust cybersecurity measures in automotive technology and highlights an urgent call for Mazda to address these risks.

The vulnerabilities primarily result from inadequate sanitization of user-supplied input in the CMU, a core component in Mazda’s infotainment system, built by Visteon. Specifically, when certain devices, like an iPhone or iPod are connected, the CMU improperly handles values used in SQL statements. This makes it possible for a hacker to use a fake device to inject commands into the system, resulting in database manipulation, file creation, or full code execution with elevated privileges.

CVE-2024–8355: Allows an attacker to use a spoofed Apple device to execute SQL statements on the CMU.CVE-2024–8357: Enables unauthorized access to the OS boot steps, potentially allowing root filesystem manipulation and SSH key installation.CVE-2024–8359, CVE-2024–8360, and CVE-2024–8358: Input sanitization issues that can lead to full system compromise via command injection.CVE-2024–8356: Flaws in the VIP MCU software allow attackers to gain access to vehicle networks by manipulating firmware during the update process.

These flaws are present in Mazda 3 models from 2014 to 2021 and potentially other models using similar infotainment systems. Once exploited, the CMU could potentially compromise any connected devices, such as mobile phones. Hackers could use this access to disable systems, inject ransomware, or even impact physical safety.

An attacker would only need physical access to the vehicle’s USB port to initiate the attack. Once connected, they can execute malicious commands to manipulate or “brick” the system. This scenario is plausible in various everyday situations, such as valet services, ride-sharing scenarios, or vehicle maintenance shops.

ZDI has informed Mazda about these risks, but as of now, no patches have been issued. With the increasing digitalization of vehicles, these unpatched vulnerabilities highlight the importance of continuous security updates to protect consumers. Mazda owners are advised to stay vigilant, avoid connecting unfamiliar devices to their vehicles, and stay tuned for updates on this issue.

While Mazda navigates these cyber risks, don’t let your business be caught off guard! 🚀 This Black Friday and Cyber Monday, we’re offering 50% OFF on WireTor’s top-tier pentest services! Make sure your systems are as secure as possible. 🛡️