Critical Flaws in BlueSDK Bluetooth Stack Expose Infotainment Systems to Serious Threats

Researchers at PCA Cyber Security have discovered critical vulnerabilities in the BlueSDK Bluetooth stack that could allow remote code execution on car systems, putting millions of vehicles at risk of hacking. The flaws, which were reported to OpenSynergy in May 2024 and patched in September of the same year, could be exploited to remotely hack into a car’s infotainment system, allowing an attacker to track the vehicle’s location, record audio from inside the car, and obtain the victim’s phonebook data.

The PerfektBlue attack, as it has been dubbed, requires only a single click from a user to be exploited over-the-air by an attacker. The researchers demonstrated how the flaws could be chained together to achieve this level of access, and they have shown that the attack can be carried out against recent infotainment models shipped with Mercedes-Benz, Skoda, and Volkswagen cars, as well as products made by another unnamed OEM.

According to the researchers, the PerfektBlue attack works by exploiting a series of vulnerabilities in the BlueSDK Bluetooth stack, including ones that enable remote code execution, bypassing security mechanisms, and information leaks. By chaining these flaws together, an attacker can gain access to the car’s infotainment system and then move laterally to other systems, potentially taking control of functions such as the steering, horn, and wipers.

The researchers have warned that the PerfektBlue attack is a serious threat that could have far-reaching consequences, including the potential for physical harm to drivers and passengers. They have also noted that the attack is not limited to cars, as the BlueSDK Bluetooth stack is also used in other devices such as mobile phones and portable gadgets.

To conduct the PerfektBlue attack, an attacker would need to be in range of the targeted vehicle and be able to pair their laptop with the infotainment system over Bluetooth. In some cases, pairing is possible without any user interaction, while in others it requires user confirmation or may not be possible at all. The researchers have noted that the attack can be carried out using a variety of tools and techniques, including ones that exploit the vulnerabilities in the BlueSDK Bluetooth stack.

The PerfektBlue vulnerabilities were assigned the CVE identifiers CVE-2024-45434, CVE-2024-45431, CVE-2024-45432, and CVE-2024-45433. Patches were created and distributed to customers starting in September 2024, but PCA Cyber Security waited until now to disclose them to ensure that the fixes would be widely deployed.

This is not the first time that PCA Cyber Security has disclosed vulnerabilities that could be exploited to remotely hack a car. Earlier this year, they disclosed a series of vulnerabilities that could be exploited to hack a Nissan Leaf electric vehicle, including for spying and the physical takeover of several functions. The researchers have warned that the PerfektBlue attack is a serious threat that could have far-reaching consequences, and they have called on car manufacturers and users to take immediate action to protect themselves.