It seems that Mazda car owners have discovered a hack that allows them to tweak the Mazda’s MZD Connect infotainment system by just inserting a USB that has been loaded with a particular code.
The issue is not new
When you see the Mazda3Revoloution Forum, you will realize that the issue had been known since 2014 and Mazda car owners have been playing with the system ever since. In fact, research showed that there had already been a hacking tool going by the name of MZD-AIO-TI.
The MZD – All-In-One Tweaks Installer or, MZD-AIO-TI for short, simply allows the user to play with the system’s settings letting them install apps and do all sorts of things to alter the original configuration.
However, this was followed on by another enthusiastic car system researcher, Jay Turla, a security engineer at Bugcrowd, who used the former knowledge of the MZD-AIO-TI and other tools to devise a new tool called the Mazda-getInfo.
The Mazda-getInfo is a unique tool that lets the user infect MZD Connect’s system through just a USB.
In an interview with BleepingComputer, Turla said that he was inspired to carry on with the project after he visited a Car Hacking Village which was a conference dealing with such systems. He later released the code on GitHub and opened it for anyone who wanted to try the technique on their car.
Once the code is in the system, the user can easily launch an attack that may involve quite harmless things. However, it has been noted that the malware thus injected can be used for far more unscrupulous crimes than just changing the settings.
How does it work?
Essentially, the user just needs to copy the chunk of code released on GitHub, and load it onto one’s USB. Then, the user simply needs to insert the USB into the dashboard and the magic will work by itself. That is, the entire thing is automatic and does not require the user to interfere in any way.
Nevertheless, doing so has certain limitations. One of them is that the car’s engine needs to be running or it must be in accessory mode. Otherwise, the malware will not work.
Although this is a disadvantage regarding hacking, it, however, acts as a defense mechanism against attackers who might want to steal a car by manipulating the car’s smart system. This is because the malware will not allow them to start the car in the first place.
But this is just for the time-being, as Turla noted. Hackers may well come up with botnets which can do the job for them. Also, a remote access trojan attack can also be executed through the vulnerability in the system.
A system update has apparently patched the flaw
BleepingComputer noticed that an updated version of the MZD connect firmware has been released that prevents anyone from injecting malware with a USB.
Not for the first time
This is not the first time when an Internet-connected vehicle has been found vulnerable to cyber attacks. Previously, Jeep Cherokee onboard system was hacked putting more than 470,000 vehicles at risk. Similarly, cars with vulnerable WIFI dongle were also found vulnerable to Bluetooth attacks.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.