14 DAY TRIAL // As if we didn't have enough things to worry about, it seems like Mazda cars equipped with the next-gen Mazda MZD Connect infotainment systems can be hacked with a simple USB flash drive.
This seems to be possible only thanks to a series of bugs that have been known for about three years but done nothing about. According to Bleeping Computer, the issue was discovered and tested out by users of Mazda3Revolution forums some three years ago. Ever since then, Mazda owners have been using theese hacks to customize their infotainment system, install new apps and so on.
Application security engineer Jay Turla put together the base of mazda_getInfo, a project that automates Mazda car hacks.
"I just wanted to check what were the possible attack vectors for my car. I also want to test my car just for my personal research as I enjoyed my fist visit at the Car Hacking Village during DEF CON 24 in Vegas last year. I also have a couple of friends inthe Philippines who are currently into car hacking research," Turla told Bleeping Computer.
The open-sourced project lets anyone with a copy of a collection of scrips loaded on a USB flash drive execute malicious code on a Mazda car.
Turla managed to perfom simple attacks like displaying text on the car's dashboard, but more intrusive attacks are also possible.
What's more, the attacks execute immediately after the USB was inserted in the car's dashboard. "No need for a user interaction, you just need to insert the USB flash drive in the USB port of your car. Imagine an autoplay feature on Windows which executes a script directly," the researcher said.
Before the script executes, however, the car must be in accessory mode, or the engine must be running.
Malicious hackers, the researcher said, could easily create a botnet for Mazda cars. The flaw could also be used to install RATs (Remote Access Trojans) on the cars.
A fixed issue.. if you updated
Late last month, Mazda released a firmware update (59.00.502) last month which fixes the MZD Connect issues. However, if the car has not been updated, it is still open to attacks.
Mazda, however, defends itself, saying that Mazda Connect can only control limited vehicle feature settings, such as keyless entry, what information is displayed on the Active Driving Display, when the vehicle reacts to lane departure and so on. "But tampering with any of these features does not gain control over the vehicle's steering, acceleration or braking," the company points out.
The affected models are Mazda CX-3, CX-5, CX-7, CX-9, Mazda2, Mazda3, Mazda6, and Mazda MX-5.
"Unfortunately, today, because there are so many more computer controlled features and the vehicles are connected to the internet we have a Perfect Storm of Vulnerability. And to make matters worse this can make family commuter car a dangerous weapon in the hands of a skilled attacker. Although it is more like to get the car stolen, than crashed," said Art Dahnert, managing consultant at Synopsys.