EXCLUSIVE — Mazda cars with next-gen Mazda MZD Connect infotainment systems can be hacked just by plugging in a USB flash drive into their dashboard, thanks to a series of bugs that have been known for at least three years.
The issues have been discovered and explored by the users of the Mazda3Revolution forum back in May 2014. Since then, the Mazda car owner community has been using these “hacks” to customize their cars’ infotainment system to tweak settings and install new apps. One of the most well-designed tools is MZD-AIO-TI (MZD All In One Tweaks Installer).
The knowledge shared through these two projects has been the base of mazda_getInfo, a project put together by Bugcrowd application security engineer Jay Turla, which automates Mazda car hacks.
Research started out as a curiosity
Speaking to Bleeping Computer, Turla said he started working on the project after recently purchasing a Mazda car.
“I just wanted to check what were the possible attack vectors for my car,” Turla told Bleeping. “I also want to test my car just for my personal research as I enjoyed my first visit at the Car Hacking Village during DEF CON 24 in Vegas last year. I also have a couple of friends in the Philippines who are currently into car hacking research.”
Turla’s mazda_getInfo, which he open sourced on GitHub last week, allows anyone to copy a collection of scripts on their USB flash drive, insert it into their car’s dashboard, and execute malicious code on the car’s MZD Connect firmware.
During his tests, Turla executed simple attacks like printing text on the car’s dashboard or echoing terminal commands. Since MZD Connect is a *NIX-based system, anyone can create scripts and execute more intrusive attacks.
In an email, Turla shared how his project works under the hood.
So I did some research on how is it done including how to create apps. I studied how MZD-AIO-TI (MZD All In One Tweaks Installer from Trezdog44) works and discovered that the tweak included executing a tweak.sh script through cmu_dataretrieval.up and dataRetrieval_config.txt. Thus, I decided to create the mazda_getInfo repo, which demonstrates that the USB port is an attack surface for a Mazda car’s infotainment system by echoing outputs from two known *nix commands through the jci-dialog which appears as a dialog box in an infotainment system. I just want to make it simpler in order to give some awareness.
Turla says that his script is just perfect to re-enable SSH support in the MZ Connect system after the feature has been disabled in previous firmware updates.
USB attack executes automatically
Furthermore, the attack executes automatically right after the user inserts the USB inside a car’s dashboard.
“No need for a user interaction, you just need to insert the USB flash drive in the USB port of your car,” the researcher told Bleeping Computer. “Imagine an autoplay feature on Windows which executes a script directly.”
Despite this benefit, the attack has its downsides. For example, the car must be in accessory mode, or the engine must be running, before the script would execute. This automatically means you can’t use the infotainment flaws to start the car’s motor and hijack cars.
Nonetheless, the researcher doesn’t rule out such scenarios, admitting he only scratched the surface with this issue.
“It is possible although I don’t have a PoC about it,” he said in an email. Nonetheless, the researcher said that some malicious hackers could create a botnet for Mazda cars. Below is a sample config for the dataRetrieval_config.txt file, which the researcher shared via email as an example:
CMU_STATUS=no DATA_PERSIST=no SCREENSHOT=no MEMINFO=no TOP_LOG=no SMEVENTS=no NVRAM_DATA=no THREAD_INFO=no VUI_LOG=no GPIO_DATA=no SETTINGS_BIN=no SMAPS_VALUE=no TEST_MODE=no VUI_ECO_FILES=no BDS_DATA=no FLASHINFO=no SCI_LOG=no LOG_TIMEOUT=120 TMP_FILTER= CMD_LINE=sh /mnt/sd?1/botnet.sh
Furthermore, Turla says one of his work managers believes these flaws could be abused to install RATs (Remote Access Trojans) on Mazda cars.
Other researchers who looked at the MZD Connect firmware shared this opinion. “That CMU [Car Multimedia Unit] is full of remote exec bugs,” wrote security researcher Aris Adamantiadis on Twitter. “If you connect it to WiFi you can have a [read only] access to the CAN bus through network DBUS,” he added.
USB attack loophole closed in recent firmware update
All of this is possible because the bugs allow users to execute unauthorized code on their infotainment unit, which in infosec terms means “anything goes,” if the attacker has the skill and knowledge to write the proper code.
According to the MZF-AIO-TI project, the USB code execution flaws have been fixed with MZD Connect firmware version 59.00.502, released last month. Cars that have not been updated to this version are most likely open to attacks, albeit there are no reports of this issue being abused in any other way except to tweak infotainment dashboards.
Contacted by Bleeping Computer, Mazda dispelled any fears that this issue could have been used for anything dangerous.
Mazda Connect controls a very limited number of functions within a Mazda vehicle and cannot be accessed remotely over a Wi-Fi signal, leaving any threat of hacking by USB to cause minimal damage at very worst and nothing that couldn’t be reversed. From the vehicle standpoint, Mazda Connect can control limited vehicle feature settings, such as keyless entry, what information is shown on the Active Driving Display, when the vehicle reacts to lane departure, etc. But tampering with any of these features does not gain control over the vehicle’s steering, acceleration or braking.
Below is a list of Mazda car models known to feature the MZD Connect system:
Turla told Bleeping Computers he plans to continue his research on car vulnerabilities.
“I’m probably gonna try a Tesla Model S, Honda City 2017, or a Mitsubishi Montero Sport 2017,” the expert said. “Hope I could get some hands-on testing on the dashboards or infotainment systems that will be displayed in the Car Hacking Village for DEF CON this year.”
“But I need some cash though, to have that kind of extensive research (a car is not cheap). I guess I will just borrow some of my friends’ cars for testing.”
Last week, security researcher Aaron Guzman presented a method of hacking Subaru cars at a computer security conference in Australia.