Cybersecurity researchers have discovered a set of four security flaws in Opensynergy’s BluesDk Bluetooth stack.
Vulnerability, dubbing Perfect blueAccording to PCA Cyber Security (formerly PCAutomotive), it is made together as an exploit chain for running any code in cars from at least three major automakers: Mercedes-Benz, Volkswagen and Skoda. Other than these three, the fourth unnamed original equipment manufacturer (OEM) has also been confirmed to be affected.
“PerfektBlue’s exploitation attack is a set of critical memory corruption and logical vulnerabilities found in Openschner’s Bluesdk Bluetooth stack, which can be chained together to obtain remote code execution (RCE),” the cybersecurity company said.
Infotainment systems are often considered isolated from critical vehicle controls, but in practice this separation is heavily dependent on how each car manufacturer designs internal network segmentation. In some cases, due to weak quarantine, attackers can use IVI access as a springboard in more sensitive zones. Especially if your system does not have gateway-level enforcement or secure communications protocols.
The only requirement to stop attacking is that bad actors need to be within range and the setup and target vehicle infotainment systems must be paired over Bluetooth. It basically corresponds to a one-click attack, triggering exploitation in the air.
“However, this limitation is implementation specific due to the nature of the BluesDK framework,” PCA Cybersecurity added. “Therefore, the pairing process may appear different between different devices. There may be a limited/unlimited number of pairing requests, the presence/absence of user interaction, or the pairing may be completely disabled.”
The list of identified vulnerabilities is as follows:
- CVE-2024-45434 (CVSS score: 8.0) – After using the AVRCP service
- CVE-2024-45431 (CVSS score: 3.5) – Inappropriate verification of remote CID for L2CAP channel
- CVE-2024-45433 (CVSS score: 5.7) – Incorrect function termination in RFCOMM
- CVE-2024-45432 (CVSS score: 5.7) – function call with incorrect parameters in rfcomm
By successfully obtaining code execution in an in-vehicle infotainment (IVI) system, attackers can track GPS coordinates, record audio, access contact lists, perform lateral movements on other systems, and control important software functions of the car, such as the engine.
Following the responsible disclosure in May 2024, the patch was rolled out in September 2024.
“PerfektBlue allows attackers to enable remote code execution on vulnerable devices,” PCA Cybersecurity said. “Think of it as an entry point for a critical target system. When you talk about the vehicle, it’s the IVI system. Further lateral movement within the vehicle depends on its architecture and can involve additional vulnerabilities.”
Earlier this April, the company presented a set of vulnerabilities that could be exploited to remotely infiltrate Nissan’s Ye electric vehicles and control critical functions. The findings were presented at the Black Hat Asia Conference in Singapore.
“Our approach began by leveraging the weaknesses of Bluetooth to infiltrate the internal network, then bypassing the secure boot process to escalate access,” he said.
“Establishing a command and control (C2) channel over DNS allows for a secret permanent link with the vehicle, allowing for full remote control. By infringing independent communications CPUs, it can interface directly with can buses that manage important body elements such as mirrors, wipers, door locks, steering, and more.”
Can Can stands for Controller Area Network, a communications protocol used primarily in vehicles and industrial systems to promote communication between multiple electronic control units (ECUs). If an attacker with physical access to the car can take advantage of it, the scenario opens the door for injection attacks and spoofing trustworthy devices.
“One infamous example involves small electronic devices (like portable speakers) hidden inside harmless objects,” the Hungarian company said. “The thief secretly connects this device to the joint of the exposed can of the car.”
“When connected to a car can bus, the Rogue device mimics the message of an authorized ECU. The bus is flooded with can messages that direct certain actions, such as “a valid key exists” or unlocking the door. ”
In a report released later last month, Pentest partners revealed that in 2016, Renault Clio had intercepted can bus data to gain control of the car, turning it into a Mario Kart controller by mapping steering, brake and throttle signals to a Python-based game controller.
