Another day, another crash in automotive device software.
This time, the bug was found in the infotainment system of older 2014-2017 Mazdas. Drivers reported that their HD radio receivers crashed when connecting to a local radio station. The radio and its display, bluetooth capabilities, built-in maps and digital clocks were all baked.
According to reports, the system error occurred due to a simple coding error that occurred when the radio station sent images without the required extension in the file names.
While frustrated Mazda owners waiting for their new $1500 CMU (Connectivity Master Unit) might disagree, this particular bug was relatively harmless — resulting in minimal damage.
Unfortunately, chances are we will continue to hear reports of software failures in vehicle systems, and as vehicles become more reliant on code, the risks of vulnerabilities affecting security and safety increase exponentially. Who knows how the next bug will affect the drivers?
How a simple coding error damaged Mazda’s ancillary systems
The full details of the coding flaw that led to the Mazda CMUs crash were not published, but we can assume it was some sort of NULL dereference vulnerability.
This is how it works:
In the C programming language there is a function called strchr. This function receives two parameters: a pointer to a string and a character, and tries to find the character within the string, returning a pointer to the found result. If the function fails, it returns a NULL pointer.
Then the program will probably try to understand the extension of the specific file it received.
To find the extension, you will probably use a function similar to strcmp. This function receives two pointers and compares their contents. Finally, the comparison is made by means of a dereference pointer.
Dereference is the action that takes the value that the pointer points to.
In this particular case, the NULL pointer was sent to this function, and while the function tried to dereference the value of the NULL, it got an exception.
This type of vulnerability in the code can be easily avoided by checking if the received pointer is different from NULL.
Prevention and Mitigation
To avoid these kinds of issues in the development phase, software engineers must follow secure coding standards that define how code should be written to avoid security vulnerabilities in device software.
While secure encryption is the key to preventing software vulnerabilities, it is only one factor.
Coding is always prone to human error, even if it is written by the most experienced programmers. Plus, most of the products we rely on today rely heavily on a supply chain that includes open source and third-party software that your programmers didn’t write.
Mazda infotainment system
Smart cars need smarter security
Automakers are investing heavily in advanced automated safety controls, from steering and braking to blind spot detection and everything in between. Given that these systems have become increasingly reliant on software, why isn’t the same focus on automotive software security?
The cost of a software vulnerability in automotive equipment skyrockets if it is discovered after the car is on the road. In addition to the cost of stopping production or recalling, software errors can lead to more than the inconvenience of a broken infotainment system. When found in critical safety devices, they can even affect human lives.
Inadequate attention to software security in automotive devices can turn cars into ticking time bombs. Today’s heavily automated cars require OEMs to expand their focus beyond physical vehicle safety and include software security, from the earliest design stages to tracking software versions already on the road.
The road to car safety: secure software
To ensure secure and vulnerability-free automotive devices, additional steps are needed beyond secure encryption or manual bug tracking. Therefore, firmware and code in all devices must be continuously checked for vulnerabilities to quickly detect and fix errors. Automated product security helps teams address security risks before they happen – not after they make companies headlines.
An advanced automotive security platform, such as Cybellum, enables product security teams to track every line of code in their software — whether created in-house, acquired from a third-party or open source — and ensure software vulnerabilities are detected and early addressed before they can cause costly harm to people and seriously damage the reputation of manufacturers.
Mazda’s infotainment crash proves once again that a simple coding error can cause unforeseen chaos. Fortunately, this time the damage was limited to infotainment and temporarily frustrated drivers plus a few headlines. Automakers need to start prioritizing device security to make sure all the software their products rely on doesn’t throw them off the road.
Sponsored by Cybellum
This post Mazda Infotainment Crash Shows Just How Vulnerable Car Security Really Is
was original published at “https://www.bleepingcomputer.com/news/security/mazda-infotainment-crash-shows-how-fragile-car-security-really-is/”
