Researchers from Trend Micro's Zero Day Initiative (ZDI) have uncovered multiple vulnerabilities within Mazda's in-vehicle infotainment system, Mazda Connect.
Installed in various Mazda models, including the Mazda 3 (model years 2014–2021), the affected Connectivity Master Unit (CMU) was found to be vulnerable to SQL injection, command injection, and code execution exploits, which could enable attackers to gain full root access to the system.
Technical analysis
The vulnerabilities were identified by
Dmitry Janushkevich from ZDI, who investigated the latest software version available for the unit (74.00.324A), as well as prior versions dating back to 70.x. This system, designed and manufactured by Visteon with software originally developed by Johnson Controls Inc. (JCI), is commonly found in Mazda vehicles and supports a range of connectivity and user functionalities through the infotainment unit. Researchers found that insufficient input sanitization led to significant security risks, making the system susceptible to code injection and full compromise.
ZDI reported that the CMU's application processor runs a Linux-based operating system, with certain core functionalities and vehicle communication handled by a secondary microcontroller. This dual-processor design is intended to keep certain aspects of the vehicle's operations isolated. However, researchers discovered that several aspects of the CMU's update and data handling processes were open to exploitation through USB devices.
Mazda's infotainment system: ZDI
Vulnerabilities identified
- SQL Injection in DeviceManager iAP Serial Number (CVE-2024-8355): A vulnerability in the DeviceManager module allows attackers to exploit the eInsertDeviceEntry() function. By connecting a spoofed USB device that mimics an iPod or similar, attackers can inject malicious SQL commands into the device's database, potentially allowing code execution.
- Command Injection in File-Finding and Extraction Functions: Three separate command injection vulnerabilities were identified within functions responsible for managing software updates. REFLASH_DDU_FindFile and REFLASH_DDU_ExtractFile functions allow malicious input to trigger arbitrary shell commands when processing update files.
UPDATES_ExtractFile function is similarly vulnerable, permitting injected OS commands to be executed.
- Hardware Security Lapse (CVE-2024-8357): Researchers discovered that the CMU's main application processor lacks a root of trust in its hardware setup. This missing security measure allows attackers to modify the bootloader or core firmware to persist on the system, even after reboots.
- Unsigned Code Execution on Auxiliary MCU (CVE-2024-8356): The vehicle's secondary microcontroller, responsible for vehicle network interactions (such as CAN bus connections), was found to lack verification for its code updates. Attackers with access to this component could upload malicious firmware to influence vehicle controls, which is a serious safety concern.
Risks for Mazda owners
These security flaws collectively allow an attacker to persistently compromise the infotainment system and potentially interfere with vehicle safety systems. In practical terms, a malicious actor could exploit these flaws in scenarios like valet parking, ride-sharing services, or automotive repair shops, where brief physical access to the vehicle's USB port might be feasible. An exploited CMU could serve as a point of compromise for other connected devices, with potential outcomes ranging from denial-of-service attacks to malware infections on passenger devices.
In light of these findings, Mazda vehicle owners and service providers should take the following steps to protect against exploitation:
- Avoid connecting unknown USB devices to the infotainment system.
- Limit third-party access to the vehicle, especially in environments where unsupervised access to the CMU may be possible.
- Perform regular updates as soon as security patches become available, ideally only from official or trusted sources.
Mazda has yet to release a patch, so these vulnerabilities remain exploitable at the time of writing.
