- Researchers find four missing in the Bluesdk Bluetooth stack
- They can be chained into “perfect blue” rce -attack
- More car sellers are allegedly affected
Security researchers have discovered four vulnerabilities in the Bluesdk Bluetooth stack, which could be tied together for Remote Code Execution (RCE) attacks.
This stack is used by several suppliers across different industries – including car production giants Mercedes, Volkswagen and Skoda (and possibly others).
In theory, a threat actor could abuse these deficiencies to connect to a car’s infotainment system, and from there -interception on conversations, grab the contact list from connected devices, track GPS coordinates and more.
Can an attack be pulled off?
However, bugs are not so easy to abuse, but first – let’s get the formalities out of the way.
The four vulnerabilities were found by PCA Cyber Security and are tracked as CVE-2024-45434, CVE-2024-45431, CVE-2024-45433 and CVE-2024-45432. Their severity varies from low to high and is available in different components of the stack.
Together they were called “Perfektblue”. A threat actor who wants to abuse them only needs a click from the victim – to accept the pairing of the Bluetooth device with the vehicle. In some cars, it is done automatically and without the victim’s input.
PCA Cyber Security reported its findings to Opennergy and the company maintained the Bluesdk Bluetooth stack in June 2024. A solution was deployed in September of that year. However, the correction must then be used by car manufacturers, and according to PCA Cyber Security, this is not done yet.
Only Volkswagen is currently investigating the case and giving a fairly long list of prerequisites that need to be completed before the error can be exploited, suggesting that the risk is not so great:
– The striker must be within a maximum distance of 5 to 7 meters from the vehicle and must maintain this distance throughout the attack
– Vehicles of the vehicle need to be turned on
– The Infotainment system must be in mating mode
– The vehicle user must actively approve the external Bluetooth access to the on -screen striker.
Via Bleeping computer
