Four vulnerabilities dubbed PerfektBlue and affecting the BlueSDK Bluetooth stack from OpenSynergy can be exploited to achieve remote code execution and potentially allow access to critical elements in vehicles from multiple vendors, including Mercedes-Benz AG, Volkswagen, and Skoda.
OpenSynergy confirmed the flaws last year in June and released patches to customers in September 2024 but many automakers have yet to push the corrective firmware updates. At least one major OEM learned only recently about the security risks.
The security issues can be chained together into an exploit that researchers call a PerfektBlue attack and can be delivered over-the-air by an attacker, requiring "at most 1-click from a user."
Although OpenSynergy's BlueSDK is widely used in the automotive industry, vendors from other sectors also use it.
PerfektBlue attacks
The pentesters team at PCA Cyber Security, a company specialized in automotive security, discovered the PerfektBlue vulnerabilities and reported them to OpenSynergy in May 2024. They are regular participants at Pwn2Own Automotive competitions and have uncovered over 50 vulnerabilities in car systems since last year.
According to them, the PerfektBlue attack affects "millions of devices in automotive and other industries."
Finding the flaws in BlueSDK was possible by analyzing a compiled binary of the software product, since the did not have access to the source code.
The glitches, listed below, range in severity from low to high and can provide access to the car's internals through the infotainment system.
CVE-2024-45434 (high severity) – use-after-aree in the AVRCP service for Bluetooth profile that allows remote control over media devices
... continue reading