Mazda cars equipped with MZD Connect, next-gen infotainment systems, can be hacked with a USB drive

Now Mazda cars installed with the next-gen infotainment system called as the Mazda MZD Connect, can be hacked just by plugging in a USB flash drive into their dashboard. This hack is possible thanks to a series of bugs that have been known to exist since at least three years and can be used to tweak settings and install new apps. This set of hacks and issues were first discovered by the Mazda3Revolution forum back in May 2014.

Speaking to Bleeping Computer, security engineer Jay Turla of Bugcrowd application, which automates Mazda cars, said, "I just wanted to check what were the possible attack vectors for my car, I also want to test my car just for my personal research as I enjoyed my first visit at the Car Hacking Village during DEFCON 24 in Vegas last year. I also have a couple of friends in the Philippines who are currently into car hacking research."

Turla uses the mazda_getinfo project to hack into Mazda cars and he recently open-sourced it on GitHub and the code is available for anyone to copy on a USB drive and execute on the Mazda infotainment system.

While testing the hack, Turla executed simple attacks like printing text on the car's dashboard or echoing terminal commands. The attack is executed automatically right after the user inserts the USB inside a car's dashboard. "No need for a user interaction, you just need to insert the USB flash drive in the USB port of your car," Turla told Bleeping Computer.

However, there are some drawbacks to this hack, such as the fact that the car must always be in accessory mode and that the engine must be running for the code to execute. This automatically means you can't use the infotainment system's flaws to start the car's motor and hijack cars...yet.

Turla further mentions that these flaws can be used to install RAT's (Remote Access Trojans) on Mazda cars. Currently only the Mazda CX-3, Mazda CX-5, Mazda CX-7, Mazda CX-9, Mazda2, Mazda3, Mazda6 and Mazda MX-5 are known to be hacked via a USB.


Published Date: Jun 17, 2017 11:29 am | Updated Date: Jun 17, 2017 11:29 am


Also See