Introduction
The Mazda Connect infotainment system [1] [4] [5], specifically the Connectivity Master Unit (CMU) used in various models [5], including the Mazda 3 from 2014 to 2021 [2] [5], has been found to contain multiple unpatched vulnerabilities. These vulnerabilities, identified by Trend Micro’s Zero Day Initiative (ZDI) [1], stem from inadequate input sanitization, allowing exploitation through specially crafted USB devices. Successful exploitation can lead to arbitrary code execution with root privileges [2] [5], potentially compromising the entire system, including access to sensitive data and the vehicle’s Controller Area Network (CAN) bus.
Description
Multiple unpatched vulnerabilities have been identified in the Mazda Connect infotainment system [2] [5], particularly within the Connectivity Master Unit (CMU) used in various models [5], including the Mazda 3 from 2014 to 2021 [2] [5]. Discovered by Trend Micro’s Zero Day Initiative (ZDI) [1], these vulnerabilities arise from inadequate sanitization of attacker-supplied input [2], allowing exploitation through specially crafted USB devices, such as an iPod or mass storage device [2] [5]. Successful exploitation can lead to arbitrary code execution with root privileges and potentially full system compromise, including access to sensitive data and the vehicle’s Controller Area Network (CAN) bus.
The vulnerabilities include:
- CVE-2024-8358: Command injection in the UPDATES_ExtractFile function, enabling attackers to execute malicious code during software updates due to unsanitized file paths [1]. This vulnerability allows for a one-step hack that can lead to complete system takeover [3].
- CVE-2024-8359 and CVE-2024-8360: Command injections in the REFLASHDDUFindFile and REFLASHDDUExtractFile functions, which allow arbitrary OS command execution via manipulated file path inputs. An attacker can create a file on a FAT32-formatted USB device with a name containing OS commands [2], ensuring the filename ends with .up for recognition by the software update handling code [2].
- CVE-2024-8357: A lack of authentication in the CMU’s System on Chip (SoC) boot process, which risks persistent control by attackers who can bypass boot security checks and manipulate files.
- CVE-2024-8355: SQL injection vulnerability in the DeviceManager, enabling database manipulation or code execution through spoofed Apple device connections [5]. This vulnerability allows a spoofed device to inject malicious SQL code that the system executes at the root level [3], leading to database exposure and arbitrary file creation [1] [3].
- CVE-2024-8356: An unsigned code vulnerability in the Verification IP Microcontroller Unit (VIP MCU), which permits unauthorized firmware uploads that could compromise vehicle subsystems and allow an attacker to manipulate the VIP MCU, gaining access to the CAN bus and compromising critical vehicle functions [3].
These vulnerabilities pose significant risks, as successful exploitation can lead to manipulation of the infotainment system and potentially impact various electronic control units (ECUs) within the vehicle, affecting safety and driving characteristics [1]. The automatic triggering of software update installation upon connecting a USB device further facilitates exploitation [2], which can be activated by placing an empty file named jci-autoupdate on the storage device [2]. The entire attack process—from USB insertion to executing a crafted update—can be completed in just a few minutes [5], making vehicles particularly vulnerable during valet service [5], ride-sharing [5], or through USB malware [2] [5].
While the likelihood of real-world exploitation remains low, as criminals often prefer traditional methods of vehicle theft [1], the increasing connectivity of vehicles underscores the urgent need for manufacturers to implement robust security measures across all components. Currently, there are no available patches [4], leaving these systems exposed to potential exploitation [4]. Once compromised [2] [5], attackers can manipulate the root file system to gain persistence [2], such as by installing backdoored system components [2], and can also install specially crafted VIP microcontroller software [2], granting unrestricted access to vehicle networks [2], which may affect vehicle operation and safety [2].
Conclusion
The vulnerabilities identified in the Mazda Connect infotainment system highlight significant security risks that could lead to system compromise and impact vehicle safety. Although the likelihood of exploitation is currently low, the increasing connectivity of vehicles necessitates the implementation of robust security measures by manufacturers. Immediate attention to patching these vulnerabilities is crucial to prevent potential exploitation. Future implications include the need for ongoing vigilance and proactive security strategies to safeguard vehicle systems against emerging threats.
References
[1] https://www.darkreading.com/vulnerabilities-threats/6-infotainment-bugs-mazda-usbs
[2] https://www.zerodayinitiative.com/blog/2024/11/7/multiple-vulnerabilities-in-the-mazda-in-vehicle-infotainment-ivi-system
[3] https://aiandtechs.com/6-infotainment-bugs-permit-mazdas-to-be-hacked-with-usbs/
[4] https://thenimblenerd.com/article/mazda-connect-mayhem-infotainment-system-vulnerabilities-leave-cars-open-to-hacks/
[5] https://securityaffairs.com/170727/security/mazda-connect-flaws.html