Infosec thinks a buggy image parser in these Mazdas can be actively exploited to do RCE.
hott
Yeah were not the radio stations locked to the local NPR radio signal after this happened ?
I live in PDX and have not heard of any local radio stations causing this but who knows if it couldn’t happen with a different station.
The primary source I instead used for the news thread post has a video clip of the behaviour, it does appear to be stuck on a particular radio channel, and plays that channel even whilst the infotainment display is rebooting and crashing.
Mazda headquarters says the problem was that KUOW “sent image files with no extension.”
So this could easily happen with any station which uses HD radio, and maybe in theory any other digital radio format that can carry images.
Hmm, so maybe the radio station sent an anti-GIF image
Yeah of course it could be any of them. It more sounds like a failing of his the radio data system sent out data and the radio not covering all the ways it can be sent, instead opting to cover the “logical” options of files with extensions, because who doesn’t do it that way.
But it is a silly oversight caused by not testing properly.
I always wondered if you could exploit that. That’s hilarious. I feel bad for the people with cars.
Will a simple master reset fix it?
Nope it is a new control system apparently it is $1500 if you can even find them with the shortages.
EPIC… sounds like someone could profiteer from that
Which is why I advocate people do their own infotainment systems, free of proprietary control of the manufacturers. A simple Pi with a touchscreen and Kodi is what most people could get behind. But maybe we could see a project that aims to do a new FOSS GUI for infotainment systems that could connect to the car sensors and be able to control things like heating and stuff, as more and more cars are ditching real buttons for touchscreen alternatives, which is a shame.
How about standardised connections in the dash so you can plug in whatever head unit you want like used to exist?
Isn’t there legal issues about having a PC accessible in a car?
I do agree but there still needs to be a standard that links into the cars other systems for various reasons.
Totally doable, make a standard that is just info in and out and you attach you own interperating front end and display. But that would be a decade of work to get that kind of change by which time its all different likely.
I believe this is only applicable to car manufacturers, or if you are going to sell your car.
Unfortunately, the current proprietary systems have no standards and even change from year to year on car models, just that the readers get software updates from the manufacturers to support the new models (at least that’s what I remember hearing).
I’d rather prefer a standard like USB, Ethernet or even Zigbee, heck even serial rs-232, that just spits out a colon “name” and another one “numbers” of the sensor readings and have the interpreter have 2 options: the nice GUI that can parse what it already knows from the second colon, or the “advanced” one which displays the raw output. USB would probably require a basic driver, while a network-based protocol like ethernet or zigbee would function similar to a local web server (like the management interface on your router). Input could be basically modifying config files in an editor and having the car software check if the parameters are all ok, or just revert the changes.
But what I was thinking about wasn’t that much the car brain, but rather the infotainment system. You can leave the car controllers and sensors alone, alongside with the physical knobs for heating and stuff, while you replace the radio, dvd reader, navigation system and touchscreen with your own. That’s easily doable on most older cars, but it’s not as easy on the new cars that have integrated the infotainment with the car controls, like the AC, that historically was separate. Which is why I’d like an old car that I can just take the dvd player out and insert my own SBC with a touchscreen.
That way I will:
- Not be vulnerable to remote car hacking attacks.
- Be in control of my system, so no automatic updates that may brick my music player, or image files that will make the system go into infinite reboot and so on.
- Not need to be subjected to humiliating practices like doing a breathalyzer test to start the engine, or have a third party decide when or if I am able to start my car. I don’t drink alcohol and don’t do drugs, so I don’t need to prove to anyone that I am capable of driving.
Yeah sorry, the way you describe it was exactly what I was thinking. Not to have it as a full control unit just a s a head for the systems. Exactly as you say some basic information in and out and it deal with how to display it.
Sounds like the best option but yeah probably a long time if ever.
I was just thinking of the videos of cops pulling over teslas and demanding the remove the tablet screen as it is a distraction to driving ad you are not allowed have a general purpose PC on in the car. Completely not realising what it actually is.
I believe it was the NHTSA that states that you cannot have a screen that plays video or moving pictures while a car is moving. Tesla got them to change their minds on Screens at large, but if the screen is playing video or any other kind of entertainment, it can only be accessible to the passengers, not the driver while the vehicle is in motion. Any modification on a vehicle that allows this is illegal.
Yeah that while technically do able then, would be legal hell.
Unless the systems get changed to allow as much.
Remember in the post Fast and Furious days when people and auto manufactures were putting TV screens in all of the head rests… this was their legal basis. When these screens started showing up on the passenger side dash, then things got questionable. When the Tesla Model S came out, basically the Gov’t has to eat their hats because they allowed a car manufacturer to do this legally with the “promise” of not breaking the law. Tesla have rode that line hard and fast.