Researchers from Trend Micro's Zero Day Initiative have discovered multiple vulnerabilities in Mazda's in-vehicle infotainment system. The affected Connect Master Unit, installed in various Mazda models including the Mazda (2014 to 2016 models), was found to be susceptible to SQL injection, command injection, and code execution vulnerabilities, which could allow an attacker to gain full system access.

Technical analysis reveals that these vulnerabilities were discovered by , who investigated the latest software version (..) of the device as well as earlier versions dating back to .

The system was designed and manufactured by , with the software originally developed by . () It is commonly found in Mazda vehicles and supports a range of connectivity and user functionalities through the infotainment device. Researchers have discovered that insufficient input sanitization leads to significant security risks, making the system vulnerable to code injection and complete intrusion.

The report states that the application processor runs on an operating system based on , and certain core functions and vehicle communication are handled by an auxiliary microcontroller. This dual-processor design aims to keep certain aspects of vehicle operation isolated. However, researchers found that several aspects of the update and data processing processes can be attacked through a device.

Discovered vulnerabilities:

• Vulnerability in Module Allows Attackers to Exploit () Function: By connecting a fake device that mimics or resembles a device, attackers can inject malicious commands into the device's database, potentially allowing for code execution.
• Command Injection in File Search and Extraction Functions: Three separate command injection vulnerabilities were discovered in the function responsible for managing software updates. The function allows malicious input to trigger arbitrary commands when processing update files. The function also contains a vulnerability that permits the execution of injected commands.
• Hardware Security Vulnerability (--)：Researchers discovered that the main application processor lacks a root of trust in its hardware configuration. This absence of security measures allows attackers to modify the bootloader or core firmware, enabling them to persist on the system even after a reboot.
• Unsigned Code Execution on Assist (--): The vehicle assist microcontroller responsible for vehicle network interaction (such as bus connection) was found to lack code update verification. An attacker with access to this component could upload malicious firmware to affect vehicle control, posing a significant security risk.

Risks Faced by Mazda Owners:

These security vulnerabilities enable attackers to persistently infiltrate the infotainment system and potentially interfere with vehicle safety systems. In fact, malicious attackers could exploit these vulnerabilities in scenarios such as valet parking, ride-sharing services, or car repair shops, where they may have temporary physical access to the vehicle's ports. The exploited ports could serve as entry points for other connected devices, with potential consequences including denial-of-service attacks and malware infections on passenger devices.

Based on these findings, Mazda owners and service providers should take the following steps to prevent being exploited:

• Avoid connecting unknown devices to the infotainment system.
• Restrict third-party access to vehicles, especially in environments where unsupervised access may occur.
• Regularly update as soon as security patches are available, preferably only from official or trusted sources.

Mazda has not yet released a patch, so these vulnerabilities can still be exploited at the time of writing this article.