Bluetooth security flaws could affect thousands of Mercedes, Volkswagen, Skoda cars - here's what we know

4 hours ago 1

A close-up of the mobile connectivity options in iOS, showing buttons for Airplane Mode, mobile data, Wi-Fi, and Bluetooth.

(Image credit: Brett Jordan / Pexels)

Researchers find four flaws in the BlueSDK Bluetooth stack
They can be chained into the "PerfektBlue" RCE attack
Multiple car vendors are allegedly affected

Security researchers have discovered four vulnerabilities in the BlueSDK Bluetooth stack which could be chained together for remote code execution (RCE) attacks.

This stack is used by multiple vendors across different industries - including car manufacturing giants Mercedes, Volkswagen, and Skoda (and possibly others).

In theory, a threat actor could abuse these flaws to connect to a car’s infotainment system, and from there - eavesdrop on conversations, grab the contacts list from connected devices, track GPS coordinates, and more.

Can an attack be pulled off?

The bugs are not that easy to abuse, though, but first - let’s get the formalities out of the way.

The four vulnerabilities were found by PCA Cyber Security, and are tracked as CVE-2024-45434, CVE-2024-45431, CVE-2024-45433, and CVE-2024-45432. Their severity ranges from low to high, and are found in different components of the stack.

Together, they were dubbed “PerfektBlue”. A threat actor looking to abuse them only needs one click from the victim - to accept the pairing of the bluetooth device with the vehicle. In some cars, even that is done automatically and without the victim’s input.

PCA Cyber Security reported its findings to OpenSynergy, the company maintaining the BlueSDK Bluetooth stack, in June 2024. A fix was deployed in September the same year. However, the fix must then be applied by car manufacturers, and according to PCA Cyber Security, this hasn’t been done yet.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Only Volkswagen is currently investigating the matter, and gave a rather long list of prerequisites that need to be filled before the bug can be exploited, hinting that the risk isn’t that big:

- The attacker must be within a maximum distance of 5 to 7 meters from the vehicle, and must maintain that distance throughout the attack
- The vehicle's ignition must be switched on
- The infotainment system must be in pairing mode
- The vehicle user must actively approve the external Bluetooth access of the attacker on the screen.

Via BleepingComputer

Skoda security flaws could let hackers remotely track cars
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article