Looks like the MZD hack window is closing

K

Kedis82ZE8

'15 CX-5 AWD GT w/Tech Pkg
Contributor
https://it.slashdot.org/story/17/06/16/2222215/you-can-hack-some-mazda-cars-with-a-usb-flash-drive

"Mazda cars with next-gen Mazda MZD Connect infotainment systems can be hacked just by plugging in a USB flash drive into their dashboard, thanks to a series of bugs that have been known for at least three years," reports Bleeping Computer. "The issues have been discovered and explored by the users of the Mazda3Revolution forum back in May 2014. Since then, the Mazda car owner community has been using these 'hacks' to customize their cars' infotainment system to tweak settings and install new apps. One of the most well-designed tools is MZD-AIO-TI (MZD All In One Tweaks Installer)." Recently, a security researcher working for Bugcrowd has put together a GitHub repository that automates the exploitation of these bugs. The researcher says an attacker can copy the code of his GitHub repo on a USB flash drive, add malicious scripts and carry out attacks on Mazda cars. Mazda said the issues can't be exploited to break out of the infotainment system to other car components, but researchers disagreed with the company on Twitter. In the meantime, the car maker has finally plugged the bugs via a firmware update released two weeks ago.
 
Looks like we know what the latest update does. I'll be avoiding that.

Sent from my XT1585 using Tapatalk
 
It's not scary. Someone would need to physically access your car...

Sent from my XT1585 using Tapatalk
 
No point avoiding it... the AA/CP update will likely close the window too and I'm not holding out just because of that!
 
Plus, anyone involved in info sec at all will be terrified to install a "hack" like AIO in a vehicle that can control braking, acceleration, and steering. Unless you audit the source code line by line, you really don't know what the AIO hack is doing at all levels of the system. It's likely safe, but I value my safety too much to rely on the security skill of anonymous hack coders.
 
IF AA ever comes, and *gasp* I am starting to agree with Mango....it's not....I will upgrade but otherwise? No.
Also, I am in bed with "info sec" and I 'hacked' my infotainment system. I trust the guys building that hack 100%.

Sent from my XT1585 using Tapatalk
 
7eregrine said:
IF AA ever comes, and *gasp* I am starting to agree with Mango....it's not....I will upgrade but otherwise? No.
Also, I am in bed with "info sec" and I 'hacked' my infotainment system. I trust the guys building that hack 100%.
Click to expand...

I wish I could share your trust :)
It's not that the AIO devs would intentionally do something bad (tough they might), it's also the fact that auto manufacturers aren't taking security seriously... so when you combine potential intentional/unintentional AIO flaws with likely Mazda security holes, you're opening it up to a lot of risk.

I've definitely waffled back and forth though... the AIO tweak does bring some very nice (and very needed!) tweaks. But ultimately I'm personally not going to mess with a system that can control my accelerator/brakes/steering :)
 
Yeah... it seems across the auto industry OBD & CANBUS security is pretty much non-existent & root level open when it comes to physical access
 
@Joe6864: you don't get what went into this or how it works, methinks.
First off, there is one dev that made the actual AIO program. He's a real person. You can reach him. Email him. If he tries to kill us with our cars, he's not going to get away with it. He's not some Anon hacker. He's just trying to help and make a few bucks {through donations}.
Second, all his program does is make it easy to run the scripts others have figured out. These are scripts you can read yourself. You don't even have to use the AIO, you can write and upload a script yourself. A lot of people worked together perfecting these scripts. Many publicly. You can follow the progress on some threads at the 3Revolution forum. Point: these things have been checked and double checked by a lot of people. If there was anything nefarious in it, it would have been caught by someone.
You can trust it.

Sent from my XT1585 using Tapatalk
 
Last edited:
7eregrine said:
@Joe6864: you don't get what went into this or how it works, methinks.
First off, there is one dev that made the actual AIO program. He's a real person. You can reach him. Email him. If he tries to kill us with our cars, he's not going to get away with it. He's not some Anon hacker. He's just trying to help and make a few bucks {through donations}.
Second, all his program does is make it easy to run the scripts others have figured out. These are scripts you can read yourself. You don't even have to use the AIO, you can write and upload a script yourself. A lot of people worked together perfecting these scripts. Many publicly. You can follow the progress on some threads at the 3Revolution forum. Point: these things have been checked and double checked by a lot of people. If there was anything nefarious in it, it would have been caught by someone.
You can trust it.

Sent from my XT1585 using Tapatalk
Click to expand...

Oh I definitely understand that part, but that focuses only on intentional issues. I'd be more worried about unintentional consequences or security holes as it interacts with the closed source mazda connect system.

Anyway, to each their own... I was definitely very very close to using it on my system a few times myself! :)
 
7eregrine said:
It's not scary. Someone would need to physically access your car...

Sent from my XT1585 using Tapatalk
Click to expand...

Have you seen the jeep hack? That's being done remotely...maybe I watch too much Mr.robot but I think everything can be hacked so it makes no use being a complete worrywort. Is there anyway to know if the patch has been installed on a recently purchased vehicle?
 
I have seen the Jeep hack. Some Jeeps have wifi allowing an attacker to get in that way. Many of them also have LTE...a cellular radio... Allowing a hack basically across the internet. Now this is next level s*** here... It's not easy and you have to know what you're doing. They also had access to the car before they hacked it, maybe they got an IP or MAC address that helped. We don't know specifics. But the Mazda is not internet connected at all. You must have physical access to the USB port to hack a Mazda. The guys that hacked the Jeep never publicly stated how they did it but one thing is clear: it being connected to the internet was surely how. Not through a phone connected to the car...the car itself.
No, there is no way to know your used car has been hacked, but you can always have the dealer reflash the car.
This AIO hack I have 100% confidence in because, as I said, it's open source. You could find the scripts it runs and verify what they do. You don't need the tool...you could manually run the scripts.
I have got to watch this Mr. Robot. Had a few people tell me I'd like it.

Sent from my XT1585 using Tapatalk
 
Last edited:
Thanks for breaking it down, I totally get it now. My car is new but I bought it after the patch rolled out. I'm not sure if the service guys already updated the car with this patch already. I'd love to load android auto on my own. Seems pretty straightforward and although I'm no techie A should be able to handle it if I know how to root phones and jailbreak my fire sticks.
 
That is actually the one hack I will not do. Installing AA is buggy right now. It breaks your Bluetooth. All this is documented on the Mazda3 forum which is, again, why I trust all the other hacks. Everything was step by step explained as people worked on these things. I will install "hacks" that don't break something...but any hack that reduces the functionality of my car in any way? No. All bugs must be worked out.

Sent from my XT1585 using Tapatalk
 
Please log in or register to reply here.

Similar threads

L
Purchased a 2018 CX-5. Anything to look for while still have warranty?
Replies
11
Views
3K
HyFlyer
HyFlyer
K
In the new 2021 system, does it limit carplay scrolling lists?
Replies
2
Views
2K
georgemoe
G
A
Close to pulling the trigger on a 17 CX-5 GT - information needed!
Replies
18
Views
4K
SurfDoggie
S

Latest posts

Back