Slashdot Mirror
You Can Hack Some Mazda Cars With a USB Flash Drive (bleepingcomputer.com)
An anonymous reader writes: "Mazda cars with next-gen Mazda MZD Connect infotainment systems can be hacked just by plugging in a USB flash drive into their dashboard, thanks to a series of bugs that have been known for at least three years," reports Bleeping Computer. "The issues have been discovered and explored by the users of the Mazda3Revolution forum back in May 2014. Since then, the Mazda car owner community has been using these 'hacks' to customize their cars' infotainment system to tweak settings and install new apps. One of the most well-designed tools is MZD-AIO-TI (MZD All In One Tweaks Installer)." Recently, a security researcher working for Bugcrowd has put together a GitHub repository that automates the exploitation of these bugs. The researcher says an attacker can copy the code of his GitHub repo on a USB flash drive, add malicious scripts and carry out attacks on Mazda cars. Mazda said the issues can't be exploited to break out of the infotainment system to other car components, but researchers disagreed with the company on Twitter. In the meantime, the car maker has finally plugged the bugs via a firmware update released two weeks ago.
Or, blocked the feature? Isn't this "bug" equivalent to shipping the car with an "unlocked" infotainment device?
This is of course great stuff if it allows you to enable features that are normally locked out unless you paid handsomely for the "upgrade". As an example, DVD-Burners are sometimes identical to their LightScribe-brethern except for the firmware. Flash the correct firmware and poof! Your cheap OEM drive is now a branded Retail unit with everything unlocked.
When the copyright term is "forever minus a day", live every day like it's the last.
If it has a USB drive, I'm willing to bet you can hack ALL Mazda cars via the USB port. Probably true of every other type of car with a USB port connected to any kind of "smart" system.
It's just that there's a currently known and publicized exploit for some cars. If you think the other Mazdas (or non-Mazda cars) are safe, you're almost certain to be proven wrong.
Poisontap taught us that it's not hard to hack even up-to-date, well-patched machines running virus scanning software. Cars are WAY less well protected.
ummm nearly every brand and model has forums devoted to hacking/changing/upgrading the infotainment system, why the fuck is this even news?
Knowing that newbies to the security scene are pretty much clueless and marketing is driving things.
The gas crisis hit. Cars suddenly had to hit smog standards. At the same time mandatory seat belt laws came into effect. The result was poorly performing cars with pain in the ass seatbelt restraints. I had an '87 Ford Escort, with a shoulder harness that slid along a track. It sucked. As did the car. In every possible way. As in, replacing all light bulbs within 2 years. Rear seat floor rusting out after 4 years (Just past warranty) (In San Diego, no salted roads). Sold it at 80k miles cuz of fan belt squeal. Caused by a crankshaft pulley way off center that would take an engine rebuild to fix.
// biggest pile of shit I've ever driven
/// I'll probably never buy another American car again (I'm 59 in 3 weeks, YMMV).
Back then they shaved corners off everything they could, hence shitty cars. Now, they're using shitty firmware that is going to make the cars seriously avoidable for a good 10 years, until they wrap they're hide bound necks around software and security.
/ That '87 Ford Escort?
The "all in one" tool they refer to is very much like a jailbreaking tool. It lets you pick from a list of popular hacks, and makes it easy to install.
One of the more interesting hacks available is enabling Android Auto support. Mazda is using a system called OpenCar.
These "exploits" that get you access are really simple ones. Mazda obviously didn't consider them to be of big concern, they've been around for quite a while. Then of course the security zealots come in and ruin all the fun. :)
Will be more interesting to see if the Mazda dealers try to force this update on you. I imagine people will want to update anyway, there are still some really glaring bugs in their infotainment system (maps crashing, spurious restarting of USB playlists, etc).
I followed forum instructions and got a USB network adapter. Then SSH'd in as root and turned off a few annoyances. I thought I was cool ;)
It's an absolute blast to drive, those triple dual throat carburetors just freaking scream, it actually feels alive. Unlike to soulless crap that's sold today that's all larded up with electronics crap.
Their infotainment center is full of GPL code and Mazda is not in compliance: https://mzdopensource.wordpress.com/
(Their infotainment contains a gstreamer, busybox, modified Linux kernel, and probably other GPL software.)
I mean, if you have to break the window of the car or jimmy the door open, and then physically insert a flash drive into the USB port on the dashboard, that's a pretty loose definition of "hack".
If you were willing to go this far and risk burglary rap, might as well just drive off with the car and sell it to the chop shop rather than simply leaving a malware on the infotainment system.
... as if you need to have physical access to the inside of a car in order to change its firmware, that's a much more intrusive vector than just cutting the brake lines.
People stop claiming that normal intended features are security critical bugs. Locking people out of the computers they bought is not fixing anything. In fact with routers, blocking OpenWRT usually means that your users won't be able to make their system more secure.
Works on Focus, C-Max and Escape
http://ford.xtlt.ru/FoCCCus/
http://www.focusst.org/forum/f...
Which is complete crap. All CAN bus controllers are bidirectional. If you can get any kind of access to it, whether via USB or Wi-Fi, then you can inject any kind of data onto the CAN bus. This is exactly how unmarked police cars are able to do fancy things with alternately flashing headlights, high beams, reverse lights and indicators, etc., all via the CAN bus.
Uhh, isn't San Diego on the ocean, that big body of water filled with salt? Might the salt air have added to your corrosion problems?
Other than that, I agree that Detroit had a lot of problems in the 1980s. Labor problems, economic problems, probably engineering challenges totally overhauling entire product lines to try to compete with smaller and more fuel efficient foreign models.
What's funny is that I would have thought Ford would have been able to adapt easier because of their extensive experience in Europe. I know at some point in the 1980s they were actually selling some European models in the US.
I must have poor google-fu or something. I've searched Google and Reddit off and on but haven't found anything useful (searched my infotainment unit model number, browsed forums and posts, searched for "tweaks" and "hacking" but didn't find anything useful).
I have a 2014 Corolla with a non-GPS, non-streaming-app, touchscreen infotainment system.
The result was poorly performing cars with pain in the ass seatbelt restraints.
Those must have been really badly fitting seatbelts if they hurt you there.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
Toyota infotainment systems are proprietary crap. Source: I've helped friends add features to Mazdas and Fords, but other than stock firmware updates, my Toyota remains in"hacked".
He forgot to mention the seats had springs poking through the upholstery. So when the seat belt auto-tightened on the track, it literally became a pain in the ass!
Where is the USB port located on these vehicles?
I know at some point in the 1980s they were actually selling some European models in the US.
From what I've read, the original version of the North American Escort (presumably the one referred to above) was *supposed* to be based on the 1980 third-generation European Escort, but in practice ended up having little in common with it beyond a vaguely similar shape.
(This was apparently also the case with the Chrysler Horizon; the Dodge Omni and Plymouth Horizon apparently shared little with their European counterpart).
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
That's all I want to know. Because a Porsche 911 definitely can...
"UNIX is very simple, it just needs a genius to understand its simplicity." -Dennis Ritchie
Definitely Blocked a feature.
I got Mazda 3 a few years ago because I could tinker with infotainment.
I changed various backgrounds, installed Android Auto.
(you can't affect critical vehicle functions . They provide a socket interface to read an write some parameters, but this is not unrestricted access)
Originally, I could get in via ssh.
But after that, I just used the update mechanism. Then I could re-apply the changes after dealer update just by inserting a usb stick.
If they now disable this update mechanism, then my next car would not be Mazda.
I think you could still downgrade to a previous version. But later versions may bring official android auto support. So that is the tradeoff.
Need to protect people from replacing shitt GPS Navigators with Google Maps.
Why is it so hard to only have politicians for a few years, then have them go away?
It's an absolute blast to drive, those triple dual throat carburetors just freaking scream, it actually feels alive. Unlike to soulless crap that's sold today that's all larded up with electronics crap.
I have a younger sibling of that car. The 350Z convertible. It's also a blast to drive and doesn't appear to be weighed down with electronics.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
The 350z is a great car, everyone is saying that it's destined to become a future classic, unlike the 370. The 350 has nice, clean, conservative lines as opposed to the tacky, gaudy 370. Nissan really started hitting the crack coccaine prety hard in their styling dept around 2009.
I'm just hoping Nissan will get over their current styling fugue state and get back to something decent before they roll out the next Z car.
I once saw my dad get his cigarette knocked out of his mouth by one of those seat belts on a track.
I miss those.
FWIW, Mazda went off the rails with the current MX5 styling too. I've had two MX5s (the pop up headlights one and the one after that) and they were both looked great. The high price and the fussy exterior steered me away from the MX5 this time around.
My Z is bright orange, which was a significant factor in my choice. Convertible of course.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
They ruined an epically cool thing that made buying a Mazda worth it. You could install Android Auto and get Google Maps and not pay the $1500 that Mazda wanted to activate GPS on your car (all Mazda's have GPS but you have to pay to activate it). Now with this firmware upgrade all new buyers are boned. Thanks for nothing. There was never a security risk. The infotaiment system does not talk to you freakin breaks. That is just nonsense. Plus, to root the whole thing you first need to turn on the damn car. Anyone who can do that already has all the access they need to do whatever they want -- including cut the break lines.