Mazda’s CMU System Exposed to High-Risk Vulnerabilities, AllowingRemote Code Execution
By [Your Name], Senior Journalist and Editor
[Date]
Mazda vehicles, renowned for their driving experience, are facing a serious security threat. Trend Micro, a leading cybersecurity firm, has uncovered multiple high-riskvulnerabilities within the Connect Connectivity Master Unit (CMU) infotainment system of various Mazda models. These vulnerabilities could allow hackers to remotely execute code, potentially jeopardizingdriver safety.
Vulnerabilities Impacting Mazda Models from 2014 to 2021
The affected models include the Mazda 3, among others, manufactured between 2014 and 2021. The vulnerable CMU system version is 74.00.324A. Hackers could exploit these vulnerabilities by gaining control of a victim’s smartphone and then connecting it to the CMU via USB. Thisconnection allows them to execute arbitrary code with root privileges, potentially leading to:
- Disruption of Connected Services: Hackers could disable vehicle connectivity features.
- Ransomware Installation: They could install malicious software that demands payment for data recovery.
- CMU System Paralysis:The infotainment system could be rendered unusable.
- Direct Threat to Driver Safety: The most concerning possibility is the potential for hackers to directly compromise vehicle control systems.
Specific Vulnerabilities Identified:
- CVE-2024-8355: A SQL injection vulnerability in theDeviceManager’s iAP serial number. Hackers can connect an Apple device to inject SQL code, modify the database with root privileges, and execute arbitrary code.
- CVE-2024-8359, CVE-2024-8360, and CVE-2024-8358: These vulnerabilities allow attackers to inject arbitrary instructions into the CMU’s update module, enabling remote code execution.
- CVE-2024-8357: A SoC verification vulnerability. The lack of verification of boot code allows hackers to modify the root file system, install backdoors, and execute arbitrary code.
- CVE-2024-8356: This vulnerability affects the VIP MCU, an independent module. Hackers can manipulate update files, write malicious image files to the VIP MCU, and gain access to the vehicle’s CAN/LIN control network, potentially compromising overall vehicle safety.
Low Entry Barrier for Exploiting Vulnerabilities:
Researchers highlight that exploiting these vulnerabilities requires minimal technical expertise. Hackers can create a file named .up on a FAT32 formatted USB drive, which the CMU recognizes as an update file, allowing them to executemalicious instructions.
Consequences of Exploitation:
By leveraging these vulnerabilities, hackers can gain control of the vehicle’s network through malicious MCU firmware, potentially impacting vehicle operation and safety.
Mazda’s Responsibility and User Precautions:
Mazda is responsible for addressing these vulnerabilities and releasing security patches. Users are advised to:
- Update their CMU system to the latest version.
- Avoid connecting unknown USB devices to the CMU.
- Be cautious about downloading and installing software from untrusted sources.
This security breach underscores the growing importance of cybersecurity in the automotive industry. As vehicles become increasingly connected, manufacturers must prioritizesecurity measures to protect drivers and passengers from potential threats.
References:
- Trend Micro: [Link to Trend Micro’s report on the vulnerabilities]
- IT之家: [Link to the IT之家 article]
Note: This article is based on the provided information and is intended for informational purposesonly. It is not a substitute for professional advice.
Views: 0