PerfektBlue: Bluetooth gap in entertainment systems from Mercedes, Skoda & VW

Contents

IT security researchers have named a combination of Bluetooth vulnerabilities in a Bluetooth stack used in several car entertainment systems "PerfektBlue". The discoverers write of "critical vulnerabilities that enable over-the-air attacks on millions of devices in cars and other industries". However, the danger is generally much lower than suggested.

An IT research team from PCA Cybersecurity has tracked down and analyzed the vulnerabilities in the OpenSynergy Bluetooth Protocol Stack (BlueSDK). This stack is used in the automotive industry, for example, but also for other – unresearched – devices, such as in the IoT sector. Until September 2024, there were four vulnerabilities in this stack, which OpenSynergy corrected with patches and distributed to the affected manufacturers.

PerfektBlue: four security vulnerabilities in combination

The IT security researchers have identified four vulnerabilities. The most serious one stems from the fact that the BlueSDK does not check the existence of an object before performing operations on it – a use-after-free vulnerability. This leads to the fact that injected malicious code can be executed (CVE-2024-45434 / no EUVD yet, CVSS 8.0, risk "high"). Here, PAC Security deviates from the CVSS classification and claims that the vulnerability is even critical. Another vulnerability can be misused to bypass a security check in RFCOMM and the processing of incoming data (CVE-2024-45433 / no EUVD yet, CVSS 5.7, risk "medium").

In addition, the BlueSDK in the RFCOMM component uses an incorrect variable as a function argument, which causes unexpected behavior or an information leak (CVE-2024-45432 / no EUVD yet; CVSS 5.7, risk "medium"). The BlueSDK does not check the L2CAP channel ID (CID) correctly, which allows attackers to create an L2CAP channel with a null identifier as a remote CID – but the IT researchers do not explain how this is problematic (CVE-2024-45431 / no EUVD yet, CVSS 3.5, risk "low").

The IT security researchers have tested and verified the vulnerability combination on infotainment systems from Mercedes Benz (NTG6 Head Unit), Volkswagen (MEB ICAS3 Head Unit) and Skoda (MIB3 Head Unit). OEMs not mentioned are also said to be vulnerable. It is striking that old firmware versions and devices were tested. However, newer models are also vulnerable, the PAC employees explain. According to the timeline, error-correcting updates should be distributed by car manufacturers from around September 2024.

The security gaps allow vulnerable infotainment systems to be broken into. Manufacturers generally distribute updates over-the-air (OTA), provided that car owners have signed corresponding contracts, usually with a limited duration. However, users usually have to actively accept these updates and have them installed. Those affected should do this now if necessary. Those who do not have an OTA update option must schedule an appointment at the workshop or update via USB.

Risk assessment of PerfektBlue

If companies that use the BlueSDK and configure a very low security profile or "Just Works" SSP mode for it, the gaps could be abused without prior pairing. However, at least the car manufacturers do not do this. They require an attacker device to be paired with the infotainment system.

In a statement to heise online, VW also cites this as one of the major hurdles that makes exploiting the vulnerabilities unlikely. The infotainment system must first be set to pairing mode. This typically only happens once. VW also assumes that attackers should be a maximum of five to seven meters away from the attacked vehicle. However, this figure can be extended further using various approaches. A start-up from the USA claims to have established Bluetooth connections to satellites.

In this case, potential victims also have to agree to the attacker device being paired. As a rule, a pairing request is made by displaying a number that does not match the device actually intended for pairing at that moment.

Hurdle race

Once these hurdles have been overcome, it is possible to break into the vulnerable infotainment systems. Attackers can execute their code on it. Volkswagen writes: "The investigations have also shown that vehicle safety is not affected at any time, nor does it have any impact on the integrity of the car. Interventions in vehicle functions that go beyond infotainment are not possible, e.g. no steering interventions, no interventions in driver assistance systems or engine or brake functions. These are located in the vehicle on a different control unit, which is protected against external intervention by its own safety functions". There is also no evidence that the loopholes are being abused in the wild.

This part of the assessment is at least questionable. Attacks on vehicle technology that have become known to date often involve an initial break-in into the infotainment system, which is connected to other vehicle electronics and control units via CAN bus/RS485. Cars can also be started via the CAN bus.

Mercedes has now also issued a statement. According to that, a team of IT security researchers contacted Mercedes in November 2024 regarding the BlueSDK framework from Open Synergy. After reviewing the reported findings, Mercedes has taken all necessary countermeasures to avert the risk. Open Synergy has distributed an update to the BlueSDK library, which is also available as an over-the-air update.

In the context of "PerfektBlue", however, it is largely pointless to ponder such effects. It is quite unlikely that the conditions for a successful attack will prevail. Nevertheless, car owners should ensure that they update the firmware of their head units to the latest version.

(dmk)