Two security researchers have discovered serious vulnerabilities in Mazda's infotainment system.
As our cars become more computerized and connected, there are bound to be attack vectors vulnerable to exploit. Ask Jeep, the first automaker to find itself in the crosshairs of researchers who found a major exploit that allowed them to take over a vehicle's vital functions. Now it's Mazda's turn. Two security researchers have discovered one of Mazda's models saves personal data from smartphones connected to the automaker's infotainment system—and they were able to retrieve it, too.
According to Forbes, the two researchers found the car was storing "text messages, call records, app activity, photos, contacts, GPS history and emails" unencrypted. The researchers were then able to exploit the infotainment system's underlying operating system—Linux, in this case—to retrieve the unencrypted information. They also modified the infotainment's OS to do some wardriving.
While the researchers, Stefan Tanase and Gabriel Cirlig of cybersecurity firm Ixia, didn't release the brand of the vehicle in question, it's obvious the infotainment system pictured in the above video is that of Mazda. The pair will release their findings at the Kaspersky Analyst Summit in Cancun. Mazda couldn't comment on the specific vulnerability as the researchers hadn't divulged specifics of it to the automaker. “What we can say is that cybersecurity and protecting our customers' privacy is of the utmost importance to Mazda, and we take all concerns very seriously,” a Mazda spokesperson told Forbes.
It's unlikely to be an issue for those who own Mazdas as physical access is needed to perform the exploit, but it could be of concern to those who connect their phones to Mazda rentals and other shared cars. As the automaker fits nearly all its models with GPS chipsets, whether those vehicles have navigation activated or not, the researchers were able to leverage the hardware to send "pings" from the car to show its location in addition to grabbing personal data from the infotainment system. “What we discovered is that the car is crawling the phone,” said Tanase. “The sky is the limit, it's a Linux box and you can do whatever you want on it.”
What's even worse is Mazda can't roll out an over-the-air update like Tesla can with its cars, so the only way to patch the vulnerability would be to issue a recall and load the updated software manually. QNX, a division of Blackberry, provides software for Mazda vehicles, though it's unclear if it provides the subsystems involved in the exploit. QNX also built the underlying systems for Uconnect, the system previously hacked in Jeeps, and provides software to many other automakers.