A critical vulnerability in the 2014-2021 Mazda Connect infotainment system allows an attacker to gain control of the vehicle via a USB connection. This problem remains uncorrected and poses a significant safety risk to vehicle owners.
The Trend Micro research team discovered these serious vulnerabilities in the Mazda Connect system. These vulnerabilities occur due to the lack of proper filtering of incoming data, which allows attackers to use specially prepared USB storage devices (for example, flash drives) to install malicious code.
Since the Mazda Connect system is based on the Linux operating system and supports USB updates, attackers can easily download malicious files and gain full access to the vehicle’s system. All that is required is physical access to plug in the USB and exploit the vulnerability. This poses a risk in situations where the owner leaves the vehicle in a parking lot or for maintenance. A successful hack would allow an attacker to execute code with administrator rights, allowing them to make changes to the system, gain access to the vehicle, and even control its functionality.
Visteon, which makes the devices, and Johnson Controls, which developed the software, have yet to issue updates to fix the flaw.