Mazda Connect

History

2024: Holes in defective Mazda software allow hackers to remotely run any viruses in cars

In early November 2024, holes were discovered in the Mazda Connect infotainment block of several car models, including Mazda 3, allowing hackers to run arbitrary code with root rights. These safety concerns remain unresolved, with some being usable to gain unrestricted access to the car's networks, which can affect its operation and safety.

The researchers discovered holes in, ON Mazda originally developed by Johnson Controls. Identified problems range from SQL injections to unsigned code, and allow attackers to manipulate the database or run malware when a fake device is connected. Although hackers require physical access to the infotainment system to exploit all vulnerabilities discovered, this limitation is quite easy to bypass. Unauthorized physical access can be obtained when parking a car by hotel employees and during service in workshops or dealerships. An attacker just needs to connect to the car's USB device to automatically launch a cyber attack.

𝓲

Freepik

According to the report, hacking the car's infotainment system using the identified vulnerabilities allows you to manipulate databases, disclose confidential information, create arbitrary files, implement arbitrary OS commands that can lead to a complete system hack, gain constant access and execute arbitrary code before loading the operating system, including any viruses. The chain of attacks takes only a few minutes, from connecting a USB drive to installing an engineered update, leading to a denial of service, blocking or installing a ransomware virus.^[1]

Notes