Ethical Hacking News

Mazda Connect Flaws Exposed: A Vulnerability Nightmare for Vehicle Owners

Security experts at Security Affairs have exposed critical vulnerabilities in Mazda's infotainment system, dubbed "Mazda Connect". The findings have left vehicle owners wondering about their safety and the potential consequences of such a vulnerability being exploited. Read more to learn about the critical vulnerabilities identified by Pierluigi Paganini.

Mazda's infotainment system, "Mazda Connect", has a critical vulnerability that can allow attackers to execute arbitrary code with root access.

The vulnerability affects the Connectivity Master Unit (CMU) system manufactured by Visteon and is present in at least software version 70.x.

Five critical vulnerabilities were identified, including SQL injection, command injections, and a lack of root of trust in the App SoC.

The attack can be executed from USB insertion to installing a crafted update, taking only a few minutes.

Paganini's report warns that compromised vehicles could be targeted during valet service, ride-sharing, or through USB malware, potentially causing safety issues and ransomware attacks.

CVE-2024-8355: SQL injection in DeviceManager, enabling database manipulation or code execution via spoofed Apple device connections.

CVE-2024-8359 and CVE-2024-8360: Command injections in REFLASH_DDU_FindFile and REFLASH_DDU_ExtractFile, allowing arbitrary OS command execution through file path inputs.

CVE-2024-8358: Command injection in UPDATES_ExtractFile, enabling command execution via file paths during updates.

CVE-2024-8357: Lack of root of trust in App SoC, risking persistent attacker control by bypassing boot security checks.

CVE-2024-8356: Unsigned code vulnerability in VIP MCU, allowing unauthorized firmware uploads that could impact vehicle subsystems.