Remote code execution vulnerabilities found in vehicles

Major automotive manufacturers – including Mercedes-Benz, Skoda, and Volkswagen – along with leading mobile phone and portable gadget makers, have deployed the Blue SDK Bluetooth stack in millions of their devices. PCA Cyber Security Researchers have identified critical vulnerabilities in this widely used software, exposing a broad range of products and users to significant security risks.

These vulnerabilities, named the “PerfektBlue” chain, enable remote code execution on target devices, allowing attackers to track GPS locations, record audio inside vehicles, access personal phonebook data, and potentially take control of critical vehicle functions such as steering, horn, and wipers. This poses severe privacy, safety, and operational risks to private individuals, corporate fleets, and car-sharing services worldwide.

The critical vulnerabilities were discovered in the Blue SDK Bluetooth stack developed by OpenSynergy, which is integrated into millions of devices. At least 69 major international companies are potentially affected. PCA’s Security Assessment team responsibly reported these vulnerabilities to OpenSynergy, and OpenSynergy confirmed and acknowledged them.

Patches were rolled out, with OpenSynergy committing to notify all affected vendors. The research is now published allowing sufficient time for notification throughout the long and complex supply chain.

What are the Potential Impacts?

Having code execution on an IVI (in-vehicle-infotainment) device – Bluetooth-enabled part of a modern vehicle, it’s possible for an attacker to track GPS coordinates, record and play audio inside a car, obtain personal phonebook data, although on some systems these impacts might additionally require a privilege escalation step from Bluetooth service user to root.

Finally, an attacker with code execution on the IVI can try to perform lateral movement to other ECUs – legitimately or by exploiting other software components – and obtain access to critical elements of a car, such as steering wheel, and other elements such as horn, wipers, etc. PCA researchers didn’t achieve this level of access on targets vulnerable to PerfektBlue. Nevertheless, previous PCA research not related to PerfektBlue, but with IVI Bluetooth as an attack entry point to the vehicle, proved such a possibility.

To protect against PerfektBlue, PCA suggests product owners to keep their system up-todate or disable the Bluetooth functionality entirely. At the same time, product manufacturers are advised to check presence of vulnerabilities in their products through their supply chains and get in touch with PCA Cyber Security’s experts to confirm PerfektBlue, discover other, yet unknown issues in their products, and receive professional remediation advisory.

Have the Affected Vendors and OEMs Been Informed?

In line with responsible disclosure practices, PCA Cyber Security reported the identified vulnerabilities to OpenSynergy prior to publication. The company acknowledged the findings and confirmed their intention to notify all affected vendors.

OpenSynergy was notified in May 2024 by PCAutomotive about potential vulnerabilities (named PerfektBlue) in Blue SDK and corrections were applied and patches were supplied to customers in September 2024.

PCA Cyber Security also notified Volkswagen/Skoda, Mercedes-Benz, and a third undisclosed OEM security teams that PCA proved their products are affected.

All approached OEMs confirmed presence of the vulnerabilities in their products.