CyberSecurity news
FlagThis
@cyberscoop.com
//
Cybersecurity researchers have identified a critical set of vulnerabilities, collectively named PerfektBlue, affecting OpenSynergy's BlueSDK Bluetooth stack. These flaws, which can be chained together to achieve remote code execution, pose a significant risk to millions of vehicles. Automakers such as Mercedes-Benz, Volkswagen, and Skoda are confirmed to be impacted, along with an additional unnamed manufacturer. The vulnerabilities could allow attackers, within Bluetooth range, to compromise infotainment systems, potentially leading to unauthorized access to sensitive vehicle functions.
The PerfektBlue attack leverages a chain of vulnerabilities including a critical use-after-free flaw in the AVRCP service (CVE-2024-45434) and issues within L2CAP and RFCOMM protocols. Successful exploitation can enable attackers to execute arbitrary code on a car's system, potentially allowing them to track GPS coordinates, record audio, access contact lists, and even pivot to more critical systems. While infotainment systems are often isolated, the effectiveness of this separation varies by manufacturer, meaning some attacks could provide a pathway to controlling core vehicle functions.
OpenSynergy confirmed these vulnerabilities last year and released patches in September 2024. However, many automakers have yet to implement these crucial updates, leaving millions of vehicles exposed. The attack requires an attacker to pair with the target vehicle's infotainment system via Bluetooth, a process that can vary in user interaction depending on the manufacturer's implementation. While patches are available, the widespread delay in deployment means that a significant number of cars remain vulnerable to this potentially far-reaching exploit.
References :
The PerfektBlue attack leverages a chain of vulnerabilities including a critical use-after-free flaw in the AVRCP service (CVE-2024-45434) and issues within L2CAP and RFCOMM protocols. Successful exploitation can enable attackers to execute arbitrary code on a car's system, potentially allowing them to track GPS coordinates, record audio, access contact lists, and even pivot to more critical systems. While infotainment systems are often isolated, the effectiveness of this separation varies by manufacturer, meaning some attacks could provide a pathway to controlling core vehicle functions.
OpenSynergy confirmed these vulnerabilities last year and released patches in September 2024. However, many automakers have yet to implement these crucial updates, leaving millions of vehicles exposed. The attack requires an attacker to pair with the target vehicle's infotainment system via Bluetooth, a process that can vary in user interaction depending on the manufacturer's implementation. While patches are available, the widespread delay in deployment means that a significant number of cars remain vulnerable to this potentially far-reaching exploit.
Share:
References :
- cyberscoop.com: Researchers identify critical vulnerabilities in automotive Bluetooth systems
- The Hacker News: PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution
- securityaffairs.com: PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda
- CyberScoop: Researchers identify critical vulnerabilities in automotive Bluetooth systems
- www.bleepingcomputer.com: Four vulnerabilities dubbed PerfektBlue and affecting the BlueSDK Bluetooth stack from OpenSynergy can be exploited to achieve remote code execution and potentially allow access to critical elements in vehicles from multiple vendors, including Mercedes-Benz AG, Volkswagen, and Skoda.
- PCWorld: Your Mercedes or Volkswagen could get hacked via Bluetooth
- malware.news: Malware News: Widespread automobile hacking likely with PerfektBlue Bluetooth bugs
Classification:
- HashTags: #BluetoothVuln #AutomotiveSecurity #PerfektBlue
- Company: OpenSynergy
- Target: Vehicles
- Product: BlueSDK
- Feature: Remote Code Execution
- Malware: PerfektBlue
- Type: Vulnerability
- Severity: Critical