A new series of vulnerabilities named PerfektBlue have been discovered in OpenSynergy’s BlueSDK Bluetooth stack. These vulnerabilities represent critical threats to millions of cars from leading manufacturers including Mercedes-Benz, Volkswagen, and Skoda. Security researchers first announced these vulnerabilities during the Black Hat Asia conference in Singapore. Combined, they allow attackers to run any code they want from afar. The discovered flaws have been categorized under four unique identifiers: CVE-2024-45434, CVE-2024-45431, CVE-2024-45433, and CVE-2024-45432.
PerfektBlue gives attackers the ability to control key features of a vehicle through its In-Vehicle Infotainment (IVI) system. An attacker could use these vulnerabilities to follow a car’s GPS locations and listen in through the car’s microphone. They could hijack address books and seize control over basic functions, such as the engine, if triggered under specific circumstances. These vulnerabilities only work when the vehicle is within 5 to 7 meters of the attacker. On top of that, the vehicle’s ignition needs to be on and the infotainment system needs to be in pairing mode.
The three vulnerabilities were given various CVSS scores. Most notably CVE-2024-45434 received a CVSS score of 8.0, which is considered high severity. The remaining identifiers scored significantly lower, receiving 3.5 for CVE-2024-45431 and 5.7 for both CVE-2024-45433 and CVE-2024-45432. Back in May 2024, we started a responsible disclosure process for these particular vulnerabilities. By September 2024, we created patches to fix them.
Exploitation Capabilities
Nguyenzcza said that PerfektBlue can be weaponized by an attacker to set up a C2 (command-and-control) channel through DNS. This enables them to have complete remote control of the vehicle. This control is the most troubling especially since it could be used to gain access to the vehicle’s systems without authorization. For example, attackers can try to exploit the infotainment system. Vital vehicle functions, such as steering and braking, are protected within their own control units.
“Interventions in vehicle functions beyond the infotainment system are not possible, e.g., no steering interventions, no interventions in driver assistance systems, or engine or brake functions,” – [No specific source]
The possibility of their use for exploitation leads to major security issues. According to PCA Cyber Security, “PerfektBlue exploitation attack is a set of critical memory corruption and logical vulnerabilities found in OpenSynergy BlueSDK Bluetooth stack that can be chained together to obtain Remote Code Execution (RCE).” This focus underscores the complexity of the vulnerabilities and the need for increased security throughout automotive systems.
Additionally, Volkswagen confirmed that it is addressing the security gap with timely software updates. The automaker said customers need to do all available software updates as soon as they can to protect their vehicles from any possible exploits.
“Volkswagen is addressing the security gap with software updates, so vehicle users should definitely perform the offered software updates,” – Volkswagen
User Interaction and Security Measures
In order for an attacker to successfully exploit these vulnerabilities, a number of conditions must be in place. Secondly, and perhaps most importantly, the vehicle user must manually grant external Bluetooth access each time, so just once, on their infotainment display. This very small detail highlights the importance of human interaction in preventing real danger from becoming a widespread reality.
PCA Cyber Security elaborates on this aspect by stating, “Thus, the pairing process might look different between various devices: limited/unlimited number of pairing requests, presence/absence of user interaction, or pairing might be disabled completely.” As a result, manufacturers might differ in their implementation of Bluetooth pairing protocols, affecting the severity of any possible attacks.
The vulnerabilities further require that users stay informed and take an active role in their vehicle’s software. In some cases, Volkswagen specified that an in-person trip to a workshop will still be required for comprehensive and robust security patching.
“In some cases, a visit to the workshop may also be necessary,” – Volkswagen
Industry Response and Future Implications
To say the automotive industry is taking these new revelations seriously would be an understatement. With millions of vehicles potentially affected worldwide, manufacturers are keen on addressing PerfektBlue vulnerabilities to ensure consumer safety and confidence. Ongoing surveillance and correction will be necessary as research into the Bluetooth stack continues.
As highlighted by PCA Cyber Security, “Consider it as an entrypoint to the targeted system which is critical. Speaking about vehicles, it’s an IVI system.” This view highlights the need to proactively protect automotive systems from new threats as technology evolves.
