Mazda owners might need to think twice before plugging anything into their car's infotainment system.

Researchers from Trend Micro’s Zero Day Initiative (ZDI) have uncovered critical vulnerabilities in Mazda Connect, Mazda's in-car infotainment system that leave the system and the vehicle open to attack via command injection and unauthorized code execution.

Mazda Connect operates on a Linux-based platform with a dual-processor setup to separate user-demanded infotainment tasks from critical CAN bus vehicle communications. While this architecture is meant to enhance security, ZDI reveals it falls short in key areas.

Using malicious USB devices, attackers exploited system vulnerabilities to inject code, gain root access, and compromise the vehicle's microcontroller responsible for CAN bus connections—it was found that SQL injection would allow attackers to manipulate the system database.

Granted, many of the vulnerabilities found were created by physically accessing the system via a USB device; this could happen in targeted scenarios where attackers have brief physical access to a USB port—like during valet parking or at repair shops.

An exploited infotainment system might not only serve as a launchpad for malware or denial-of-service attacks but could also compromise vehicle safety features. Mazda has yet to issue a fix for the identified vulnerabilities, leaving owners exposed. ZDI recommends avoiding untrusted USB devices, limiting third-party access to the vehicle, and waiting for official patches from Mazda.