Shostack + Friends Blog


I need an extension!

A few lessons from the Mazda radio incident. A broken car computer

[Updated Feb 26 - see below]

There was an entertaining story recently, about a set of radios in Mazdas that got stuck in a reboot cycle. It turns out that the issue was a local radio station was sending files without extensions via one of the digital channels that are now in a lot of what I still think of as analog radios. (These are how song names, and apparently more, can show up in your in-dash entertainment (IDE) units.) And as much fun as it was to make jokes like “but then you've pwned a Mazda,” I think there are some useful security engineering lessons we should take away.

The first is that inputs are unpredictable. I admit, I rarely give thought to what happens if a file comes in without an extension, but it's now worth adding to any longer, more thorough test suites. You keep up on those, right? The second, I'm guessing here, is check return codes better. (I'd say exceptions, but I'm guessing these IDEs were coded in C (“some 2014-2017 Mazda vehicles with older software.”). The third is that this is most likely a case where some degree of least privilege would have saved Mazda a lot of money. Let me unpack why.

After this blew the heck up in the press, Mazda provided “$1,500 connectivity master units” to those affected - they probably are not paying that per unit, but they are paying dealers for the 90 minute installation, and they're probably upgrading a lot of units not yet impacted to prevent another instance. The description of the issue, a “reboot cycle,” seems to indicate to me that there's not a set of independent processes running, for example, with talking to the X11 server to display things, but a smaller set of highly integrated processes, possibly even a single process model where something provides just enough services to keep these things mostly running. A set of privileges would allow the still working code to notice and reject the problems that other code was having.

Obviously, I'm speculating, but the folks who make in dash entertainment units are highly price-sensitive, and the code changed as minimally as possible for long periods, so the units shipped in 2013 were likely selected in 2011, which means they could reasonably have been code-complete in 2010. Or because it only impacted Mazdas, it's possible that these are in-house units.

From a threat modeling perspective, it's nitfy that this is an honest to goodness example of a one-way data flow carrying a threat. That's pretty unusual.

In closing, these amusing sorts of incidents often carry important lessons, and you can use them for security education. Why miss the chance to drive awareness?

Updated Feb 26: There's a claim that this can be triggered by program names that contain a % character, which I find more convincing than the 'lack of extension' root cause. (Via Risks Digest.)