Multiple Vulnerabilities in the Mazda In-Vehicle Infotainment (IVI) System

This report analyzes the update mechanism for an embedded system, detailing the structure of password-protected update ZIPs (including root filesystem, kernel, bootloaders, and a passwd replacement) and describing the verification workflow that extracts certificates and verifies signatures. It notes that substantial processing of the supplied update file occurs before integrity checks and that researchers could not produce signed malicious updates or find a verification bypass during the investigation.