Four newly discovered vulnerabilities, collectively known as PerfektBlue, pose significant risks to the BlueSDK Bluetooth stack used by several major automotive manufacturers, including Mercedes-Benz AG, Volkswagen, and Skoda. These flaws, confirmed by OpenSynergy— the company behind BlueSDK—can potentially allow hackers to execute remote code and gain access to key vehicle systems.
The vulnerabilities were flagged by the pentesting team at PCA Cyber Security, which specializes in automotive security. According to their findings, the PerfektBlue vulnerabilities affect millions of devices across various industries, not just automotive. Although OpenSynergy released patches in September 2024, many manufacturers have yet to implement these critical updates.
The security issues can be exploited through a method known as a PerfektBlue attack, which could be delivered over the air with minimal user interaction. The flaws include a high-severity CVE-2024-45434 that facilitates remote control over media devices through the AVRCP service, and multiple others that can interfere with Bluetooth communications. PCA Cyber Security has successfully demonstrated these exploits on various infotainment systems.
Despite contacting affected automakers, the response has been slow. A spokesperson for Volkswagen acknowledged the issue, stating that under specific conditions, unauthorized access to the infotainment system is possible. However, critical vehicle functions remain secure, protected by separate control units. The researchers have confirmed that these vulnerabilities have affected at least one other manufacturer, which has yet to address the weaknesses, underscoring the widespread nature of the threat.