- Tech boffins have discovered multiple security problems with Mazda’s Connect infotainment setup.
- Researchers at Trend Micro’s Zero Day Initiative learned that attackers could mess with a vehicle’s safety systems.
- Drivers have been advised to avoid connecting unknown USB devices and to limit third-party access to their cars.
The US government wants to ban Chinese cars outright over fears that they could be remotely controlled by bad actors and become a security threat. But a new group of researchers is warning that thousands of Mazda cars already on the road in America, Europe, and elsewhere are vulnerable to attack.
Tech experts at Trend Micro’s Zero Day Initiative – zero day referring to how long companies have to fix a flaw – looked at Mazda’s Connect infotainment system fitted to cars like the 2014-21 Mazda 3 and discovered that attackers could use weaknesses in its security to potentially interfere with a car’s safety systems.
Related: Porsche 718 Cayman And Boxster Axed In EU Due To New Cybersecurity Rules
Admittedly the risk of a swarm of Mazdas becoming sentient and mowing down pedestrians and crashing into gas stations and shopping malls is next to nil. The cars don’t have self-driving capabilities and the author of the report Dmitry Janushkevich says malicious code would have to be inserted via a USB port, rather than via an OTA update.
But your car is still at risk of being compromised if you regularly use valet parking at hotels, restaurants, and airports, or leave your car to be detailed or repaired. ZDI claims it could take just a few minutes to upload malware through the USB port, allowing tech baddies to brick the car or infect passenger devices subsequently plugged into the port. Access to the car’s safety systems is also possible, though ZDI didn’t get as far as investigating which safety-critical functions could be altered or controlled.
CyberInsider says Mazda has yet to release a patch for the security flaws and suggests that until the automaker finds a fix owners should avoid connecting unknown USB devices to the infotainment system and limit third-party access to the vehicle. If you speak geek and want the full breakdown of ZDI’s analysis check out the original report here.
Several car models have already been withdrawn from sale in Europe this summer because they don’t meet new EU cybersecurity rules, including the Porsche 718 Boxster and Cayman and Fiat’s combustion-powered 500.
