1 枯れ果てた名無し@転載禁止 (b0e7ae2d) 2024/11/10 (日) 17:13:46.740 ID:LSt12hy8W
マツダの車載インフォテインメントシステムに6つの重大な脆弱性が発見された。この発見は2024年11月9日、セキュリティ研究機関Trend Microのゼロデイ・イニシアチブ(ZDI)によって公表された。
影響を受けるのは、ミシガン州に本社を置くVisteon Corporation社が開発したマツダコネクト・コネクティビティ・マスターユニット(CMU)を搭載した車両で、具体的にはマツダ3やCX-3、CX-5、CX-9などの最近のモデルが該当する。
https://innovatopia.jp/cyber-security/cyber-security-news/44617/
2 枯れ果てた名無し@転載禁止 2024/11/10 (日) 17:16:53.233 ID:LSt12hy8W
・Exploitation
An attacker can exploit these vulnerabilities by creating a file on a FAT32-formatted USB mass storage device with a name that contains the OS commands to be executed.
The filename must end with .up for it to be recognized by the software update handling code.
Once the initial compromise is achieved, the attacker can gain persistence through manipulation of the root file system or install a specially crafted VIP microcontroller software allowing unrestricted access to vehicle networks.
・Associated Risks
According to ZDI’s blog post, the attack chain can be completed in a few minutes in a lab environment, and there is no reason to believe it will take significantly more time against a unit installed in a car.
This means that the vehicle can be compromised while being handled by a valet, during a rideshare, or via USB malware.
The CMU can then be compromised and “enhanced” to attempt to compromise any connected device in targeted attacks that can result in DoS, bricking, ransomware, safety compromise, etc. The worst part of it is that these security vulnerabilities remain unpatched.
Hackers Can Access Mazda Vehicle Controls Via System Vulnerabilities
https://hackread.com/hackers-mazda-vehicle-controls-system-vulnerabilities/
Multiple Vulnerabilities in the Mazda In-Vehicle Infotainment (IVI) System
https://www.zerodayinitiative.com/blog/2024/11/7/multiple-vulnerabilities-in-the-mazda-in-vehicle-infotainment-ivi-system