Drive A Mazda? Your Privacy Could Be Gone In 10 Seconds
Thomas Fox-Brewster, FORBES STAFF
All it might take is a USB stick and 10 seconds for a Mazda to be turned into a kind of spy mobile.
Two researchers who've been probing one of the car maker's models in recent months found the vehicle was collecting an awful lot of information from drivers' smartphones, including text messages, call records, app activity, photos, contacts, GPS history and emails. And it was storing all that information unencrypted, they claim. They later discovered a way to install malware on the car, forcing it not only to hand over all that information, but track the location of the vehicle in almost real-time.
Pwning a Mazda
Researchers Stefan Tanase and Gabriel Cirlig from cybersecurity firm Ixia will release their findings Friday at the Kaspersky Analyst Summit in Cancun. Though they didn't name the manufacturer directly, Forbes was able to determine the name of the car maker affected as Mazda.
A Mazda spokesperson said the company hadn't been contacted by the researchers and couldn't respond to the findings without more information. "What we can say is that cybersecurity and protecting our customers' privacy is of the utmost importance to Mazda, and we take all concerns very seriously in order to ensure our customers enjoy their experiences today and in the ever-more-connected future," the spokesperson added.
Via onboard USB and Wi-Fi, Cirlig and Tanase probed an unspecified vehicle and abused the autorun feature on the car's Linux OS. From there, they ran a script that gave them a permanent connection into the car's infotainment system, believed to be made by a third-party vendor, though the researchers haven't revealed which one.
They went further, creating a script that, once uploaded via USB, would consistently ping a remote computer with the location of the vehicle, acting as a kind of hidden, permanent beacon. That would work even on models where GPS features weren't available, as GPS chips appeared to be soldered onto the vehicle's motherboard regardless of whether or not location services were available.
They then installed software in the car that could have collected information from and potentially attacked Wi-Fi networks as the vehicle travelled, though the researchers didn't want to test the bounds of the law. Dubbing this "vehicle weaponization," they created a simple program that would map open Wi-Fi networks as the car roamed around a quiet corner of Bucharest.
Rental privacy rights
There are some limitations to the attacks. First, physical access to a fired up car is required. And the researchers noted that the vehicles wouldn't always pull all data from all apps. The vehicles wouldn't, for instance, grab Signal or WhatsApp messages, and it would be "hit and miss" for the kinds of email apps from which the cars would store content. "But more standardised apps like Android open source project, it will have no issues pulling," Tanase added.
But of real concern to Tanase was the potential for rental cars to hoover up and store information on all drivers who connect in, which could then be easily nabbed by anyone with access to the vehicle. "What we discovered is that the car is crawling the phone," he said. Tanase imagined a diplomat or government official using an infected rental car, having all their sensitive information pinged to a remote computer, or their location remotely monitored. It'd be possible to put other kinds of malware on the infotainment system too, ransomware included. "The sky is the limit, it's a Linux box and you can do whatever you want on it," Tanase added.
For Cirlig, the attack wasn't difficult. But it shouldn't be tricky to pull off for any hacker with rudimentary skills, he added. "It's not rocket science. If I can do it in my spare time, any hacker can do it." Cirlig said it should also be simple for the car maker to add encryption to protect all that data.
Though they didn't name the manufacturer, they said its most recent models are likely open to their attacks. Forbes was not able to independently verify that claim, however. It may be difficult for Mazda to roll out fixes without an over-the-air update too. Any patches, Cirlig added, would have to be done at the local dealership.
