Researchers at PCA Cyber Security have discovered serious vulnerabilities in a widely used Bluetooth stack that could allow attackers to remotely hack into millions of vehicles. The flaws lie within BlueSDK, a Bluetooth framework developed by OpenSynergy, commonly integrated into modern car infotainment systems.
What Is PerfektBlue?
The PCA team uncovered several security flaws in BlueSDK and demonstrated how these could be chained in a cyberattack they’ve named PerfektBlue. This exploit allows an attacker to compromise a car’s infotainment system over Bluetooth—without needing direct access to the vehicle.
Once inside the infotainment system, hackers can:
- Track the vehicle’s location in real time
- Record audio from within the car
- Access the driver’s phonebook and personal contact data
More alarmingly, researchers warn that attackers could potentially move laterally from the infotainment system to critical vehicle controls, such as:
- Steering
- Horn
- Windshield wipers
While these controls were not directly exploited in the demo, past research shows such escalations are possible.
Vehicles and Devices at Risk
PerfektBlue has already been demonstrated against recent infotainment units in Mercedes-Benz, Volkswagen, and Skoda vehicles. Another unnamed OEM, whose systems were also found vulnerable, was recently notified of the issue.
Because BlueSDK is used in millions of devices, the risk extends beyond cars. Mobile phones and portable tech devices from major manufacturers may also be exposed.
How Does PerfektBlue Work?
To carry out a Bluetooth car hack, the attacker must be within pairing range of the vehicle. Depending on the system’s configuration, they might be able to:
- Pair with the infotainment system silently
- Trigger an attack with a single user click
- Exploit the system without the driver’s knowledge
According to PCA Cyber Security, “PerfektBlue requires at most 1-click from a user to be exploited over-the-air.”
CVEs Assigned to the PerfektBlue Vulnerability
The vulnerabilities were responsibly disclosed to OpenSynergy in May 2024 and are now tracked under the following CVE identifiers:
- CVE-2024-45434
- CVE-2024-45431
- CVE-2024-45432
- CVE-2024-45433
What You Can Do
Lastly, while patching depends on the vendor and your car’s manufacturer, vehicle owners should:
- Regularly update their infotainment firmware
- Avoid pairing with unknown Bluetooth devices
- Check with their dealership for security updates
- Disable Bluetooth when not in use
