Some Mazda cars could reportedly be hacked, thanks to several vulnerabilities spotted by security experts, which would allow hackers to launch automatic attacks just by inserting a USB drive into a car's dashboard.
The bugs were first discovered three years ago by users of the Mazda3Revolution forum, who have since then, been "hacking" the cars to customise the vehicles' infotainment systems and install new apps, BleepingComputer reported. The hacking technique was brought to light by Bugcrowd application security engineer Jay Turla, who put together a project to automate Mazda car hacks.
"The Mazda car isn't alone in this scenario either. Most of the major automotive brands have a following that have tapped into the various computer systems on the vehicle to add new features or turn off existing ones," Art Dahnert, managing consultant at Synopsys, told IBTimes UK.
"Unfortunately, today, because there are so many more computer-controlled features and the vehicles are connected to the internet we have a perfect storm of vulnerability," Dahnert added. "And to make matters worse, this can make a family commuter car a dangerous weapon in the hands of a skilled attacker. Although it is more like to get the car stolen, then crashed."
It was curiosity that led Turla to finding ways to hack Mazda cars. "I just wanted to check what were the possible attack vectors for my car," Turla told Bleeping. "I also wanted to test my car just for my personal research."
Turla's attack is based on Mazda's MZD-AIO-TI (MZD All In One Tweaks Installer) tool. For the attack to work, however, the car's engine has to be running and it must be on accessory mode. According to Turla, the flaws can also allow hackers to install RATs (Remote Access Trojans) into the vehicle's system.
However, Mazda has fixed the USB attack loophole and confirmed that the vulnerabilities cannot be used to conduct malicious attacks.
"Mazda Connect controls a very limited number of functions within a Mazda vehicle and cannot be accessed remotely over a Wi-Fi signal, leaving any threat of hacking by USB to cause minimal damage at very worst and nothing that couldn't be reversed. From the vehicle standpoint, Mazda Connect can control limited vehicle feature settings, such as keyless entry, what information is shown on the Active Driving Display, when the vehicle reacts to lane departure, etc. But tampering with any of these features does not gain control over the vehicle's steering, acceleration or braking," the firm said in a statement.
"Preventing the loyal customer base from customizing their car will not win over new buyers and will most likely lose existing ones. However, it is extremely important that the car is safe and will not injure the driver or occupants, so making sure that software running the various computer modules is secure should be priority one," Dahnert told us.