Cybersecurity Experts Warn of Hacking Risks in Mazda’s Connect System

Researchers from Trend Micro’s Zero Day Initiative have identified multiple security vulnerabilities in the systems installed in thousands of Mazda vehicles.

The U.S. government is considering an outright ban on Chinese cars over concerns that they could be remotely accessed by malicious actors, posing a security risk. However, a new group of researchers warns that thousands of Mazda cars already in use across the U.S., Europe, and other regions may also be vulnerable to attacks.

Technology experts at Trend Micro’s Zero Day Initiative—named for the urgency companies face in fixing newly discovered flaws—investigated Mazda’s Connect infotainment system, found in models like the 2014-2021 Mazda 3. They discovered that weaknesses in the system’s security could allow attackers to potentially interfere with the car’s safety systems.

While the chance of Mazdas suddenly becoming autonomous and causing havoc is practically nonexistent—these cars lack self-driving capabilities—there are still security concerns. Report author Dmitry Janushkevich explains that any malicious code would need to be installed through a USB port, rather than via an over-the-air (OTA) update.

Nonetheless, your car could still be vulnerable if you regularly use valet services at hotels, restaurants, or airports, or if you leave it for detailing or repairs. According to the Zero Day Initiative (ZDI), it could take only a few minutes to load malware via the USB port, potentially allowing attackers to disable the vehicle or infect devices plugged into the port later. While access to safety systems is theoretically possible, ZDI didn’t fully investigate which critical functions could be altered or controlled.

According to CyberInsider, Mazda has not yet released a patch for these security vulnerabilities. Until a fix is available, they recommend that owners avoid connecting unfamiliar USB devices to the infotainment system and limit third-party access to the vehicle. For those interested in the technical details, ZDI’s full analysis is available in their original report.

Earlier this summer, several car models, including the Porsche 718 Boxster and Cayman and the gas-powered Fiat 500, were withdrawn from sale in Europe for failing to meet new EU cybersecurity standards.

Author:

  • I've been weaving words into stories since my early scribbling days, and my journey in the world of motorcycles and their communities spans almost two decades. Living with a talented motorcycle mechanic as a roommate, our garage transformed into a vibrant workshop where I absorbed the intricacies of...

    View all posts