Unpatched Vulnerabilities Allow Hacking of Mazda Cars: ZDI

Vulnerabilities in the infotainment system of multiple Mazda car models could allow attackers to execute arbitrary code with root privileges, Trend Micro’s Zero Day Initiative (ZDI) warns.

The issues, ZDI explains, exist because the Mazda Connect Connectivity Master Unit (CMU) system does not properly sanitize user-supplied input, which could allow a physically present attacker to send commands to the system by connecting a specially crafted USB device.

The CMU, popular among the modding community, which has released software tweaks to modify its operations, was manufactured by Visteon and runs software initially developed by Johnson Controls.

According to ZDI, the flaws, which were identified in software version 74.00.324A, could be used in conjunction to “achieve a complete and persistent compromise of the infotainment system”. Earlier software iterations might also be affected. Mazda 3 model year 2014-2021 and other car models are impacted.

See more: https://www.securityweek.com/unpatched-vulnerabilities-allow-hacking-of-mazda-cars-zdi/

#cybersecurity #mazda