This post is also available in:
עברית (Hebrew)
A recent report from Trend Micro’s Zero Day Initiative (ZDI) has revealed multiple security vulnerabilities in Mazda’s in-vehicle infotainment systems, exposing them to the risk of severe exploitation by malicious actors. The vulnerabilities affect the Mazda Connect Connectivity Master Unit (CMU), a system used in a range of Mazda models, including the 2014 to 2021 models of Mazda. Despite being identified, these flaws remain unpatched, leaving vehicles vulnerable to a range of attacks.
The report highlights six critical vulnerabilities in the CMU system that could allow an attacker to run arbitrary code with root access to the vehicle’s infotainment system. The core issue is a series of OS command injection vulnerabilities, caused by insufficient sanitization when the system processes external input. In practical terms, this means that a malicious actor could exploit the flaws by simply inserting a specially crafted USB drive into the infotainment system.
To exploit the vulnerability, an attacker needs physical access to the vehicle for just a few minutes. The USB device would need to contain a malicious file, with a filename ending in “.up”—a format recognized by the system as a software update. Once the device is connected, the system would automatically trigger an update, executing the attacker’s commands without any further user interaction. The exploitation process is relatively simple, and the attack could go undetected unless proper security measures are in place.
The potential consequences of such an attack are serious. An attacker could gain full control over the infotainment system, leading to potential denial of service, the compromise of connected devices, and even the installation of ransomware. In more severe cases, the attacker could manipulate the vehicle’s root file system or install backdoored components, which could affect vehicle operation or safety, according to Cybernews.
Researchers note that this incident underscores a broader issue in the automotive industry: even mature products with a long history of security fixes can still harbor critical vulnerabilities. These security flaws indicate the need for more rigorous safety protocols in the development of automotive infotainment systems, and highlight the growing importance of cybersecurity in the automotive sector.
