- Researchers find four flaws in the BlueSDK Bluetooth stack
- They can be chained into the “PerfektBlue” RCE attack
- Multiple car vendors are allegedly affected
Security researchers have discovered four vulnerabilities in the BlueSDK Bluetooth stack which could be chained together for remote code execution (RCE) attacks.
This stack is used by multiple vendors across different industries – including car manufacturing giants Mercedes, Volkswagen, and Skoda (and possibly others).
In theory, a threat actor could abuse these flaws to connect to a car’s infotainment system, and from there – eavesdrop on conversations, grab the contacts list from connected devices, track GPS coordinates, and more.
Can an attack be pulled off?
The bugs are not that easy to abuse, though, but first – let’s get the formalities out of the way.
The four vulnerabilities were found by PCA Cyber Security, and are tracked as CVE-2024-45434, CVE-2024-45431, CVE-2024-45433, and CVE-2024-45432. Their severity ranges from low to high, and are found in different components of the stack.
Together, they were dubbed “PerfektBlue”. A threat actor looking to abuse them only needs one click from the victim – to accept the pairing of the bluetooth device with the vehicle. In some cars, even that is done automatically and without the victim’s input.
PCA Cyber Security reported its findings to OpenSynergy, the company maintaining the BlueSDK Bluetooth stack, in June 2024. A fix was deployed in September the same year. However, the fix must then be applied by car manufacturers, and according to PCA Cyber Security, this hasn’t been done yet.
Only Volkswagen is currently investigating the matter, and gave a rather long list of prerequisites that need to be filled before the bug can be exploited, hinting that the risk isn’t that big:
– The attacker must be within a maximum distance of 5 to 7 meters from the vehicle, and must maintain that distance throughout the attack
– The vehicle’s ignition must be switched on
– The infotainment system must be in pairing mode
– The vehicle user must actively approve the external Bluetooth access of the attacker on the screen.
Via BleepingComputer
