Cybersecurity researchers have discovered a set of four security flaws in Opensynergy’s BluesDk Bluetooth stack.
A vulnerability called PEFEKTBLUE is created together as an exploit chain for running any code in cars from at least three major automakers, Mercedes-Benz, Volkswagen and Scoder, according to PCA Cybersecurity (formerly PCAutomotive). Other than these three, the fourth unnamed original equipment manufacturer (OEM) has also been confirmed to be affected.
“PerfektBlue’s exploitation attack is a set of critical memory corruption and logical vulnerabilities found in Openschner’s Bluesdk Bluetooth stack, which can be chained together to obtain remote code execution (RCE),” the cybersecurity company said.
Infotainment systems are often considered isolated from critical vehicle controls, but in practice this separation is heavily dependent on how each car manufacturer designs internal network segmentation. In some cases, due to weak quarantine, attackers can use IVI access as a springboard in more sensitive zones. Especially if your system does not have gateway-level enforcement or secure communications protocols.
The only requirement to stop attacking is that bad actors need to be within range and the setup and target vehicle infotainment systems must be paired over Bluetooth. It basically corresponds to a one-click attack, triggering exploitation in the air.
“However, this limitation is implementation specific due to the nature of the BluesDK framework,” PCA Cybersecurity added. “Therefore, the pairing process may appear different between different devices. There may be a limited/unlimited number of pairing requests, the presence/absence of user interaction, or the pairing may be completely disabled.”
The list of identified vulnerabilities is as follows:
CVE-2024-45434 (CVSS score: 8.0) – No wasted from waste in AVRCP services CVE-2024-45431 (CVSS score: 3.5) – Inappropriate verification of remote CVE-2024-45433 for L2CAP channel CVE-2024-45433 (CVSS score: 5.7) – Inappropriate verification of remote CVE-2024-45432 (CVSS score: 5.7) – Function call with incorrect parameters in rfcomm
By successfully obtaining code execution in an in-vehicle infotainment (IVI) system, attackers can track GPS coordinates, record audio, access contact lists, perform lateral movements on other systems, and control important software functions of the car, such as the engine.
Following the responsible disclosure in May 2024, the patch was rolled out in September 2024.
“PerfektBlue allows attackers to enable remote code execution on vulnerable devices,” PCA Cybersecurity said. “Think of it as an entry point for a critical target system. When you talk about the vehicle, it’s the IVI system. Further lateral movement within the vehicle depends on its architecture and can involve additional vulnerabilities.”
Earlier this April, the company presented a set of vulnerabilities that could be exploited to remotely infiltrate Nissan’s Ye electric vehicles and control critical functions. The findings were presented at the Black Hat Asia Conference in Singapore.
“Our approach began by leveraging the weaknesses of Bluetooth to infiltrate the internal network, then bypassing the secure boot process to escalate access,” he said.
“Establishing a command and control (C2) channel over DNS allows for a secret permanent link with the vehicle, allowing for full remote control. By infringing independent communications CPUs, it can interface directly with can buses that manage important body elements such as mirrors, wipers, door locks, steering, and more.”
Can Can stands for Controller Area Network, a communications protocol used primarily in vehicles and industrial systems to promote communication between multiple electronic control units (ECUs). If an attacker with physical access to the car can take advantage of it, the scenario opens the door for injection attacks and spoofing trustworthy devices.
“One infamous example involves small electronic devices (like portable speakers) hidden inside harmless objects,” the Hungarian company said. “The thief secretly connects this device to the joint of the exposed can of the car.”
“When connected to a car can bus, the Rogue device mimics the message of an authorized ECU. The bus is flooded with can messages that direct certain actions, such as “a valid key exists” or unlocking the door. ”
In a report released later last month, Pentest partners revealed that in 2016, Renault Clio had intercepted can bus data to gain control of the car, turning it into a Mario Kart controller by mapping steering, brake and throttle signals to a Python-based game controller.
update
In a statement shared with Hacker News, Volkswagen said the issues identified are solely related to Bluetooth and neither the safety or integrity of the vehicle has been affected.
“The investigation revealed that under certain conditions, it is possible to connect to the vehicle’s infotainment system via Bluetooth without permission,” the company said.
“Intervention of vehicle functions beyond the infotainment system is not possible. For example, there is no steering intervention, driver assistance system or engine or braking function intervention. These are found in vehicles with separate control units that are protected from external interference due to their own security features.
We also noted that vulnerability exploitation is possible only if several conditions are met simultaneously –
The attacker is at a maximum distance of 5-7 meters from the vehicle. You must switch the vehicle’s ignition to pairing mode.
Even in scenarios in which threat actors can meet the aforementioned criteria and gain access to the Bluetooth interface, they must remain within a maximum distance of 5-7 meters from the vehicle to access the vehicle’s described audio features.
As a precaution, vehicle users protect against these attacks by checking pairing data during the connection process, making sure they match the numbers displayed on their devices.
“Volkswagen is tackling security gaps with software updates, so vehicle users will definitely need to perform software updates provided,” the spokesman added. “In some cases, you may also need to visit the workshop.”
(The story was updated after publication to include answers from Volkswagen.)
Source link
