Modern cars are increasingly comparable to computers, particularly those manufactured in the last ten years. This equivalence raises concerns about their vulnerability to hacking, similar to traditional computer systems, albeit with less frequency. A recent discovery has revealed a significant flaw in the Bluetooth systems of vehicles from manufacturers like Mercedes-Benz, Volkswagen, and Skoda, exposing them to what is termed a “one-click” attack that can lead to remote code execution. The vulnerability stems from the use of OpenSynergy’s BlueSDK system, which is integrated into the infotainment and vehicle management systems of various Volkswagen and Mercedes vehicles, with Skoda cars also confirmed as susceptible.
A fourth unnamed manufacturer has also been identified as affected by the flaw. This remote code execution vulnerability can potentially allow attackers to install malware or other programs. Additionally, hackers could exploit the connection to track GPS locations or activate microphones using Bluetooth-connected hardware, among other malicious actions. OpenSynergy acknowledged receipt of a report from PCA CyberSecurity in May 2024, which led to the issuance of security patches for BlueSDK by September of the same year.
However, many vehicle manufacturers utilizing this system have yet to distribute updates to fix these vulnerabilities. As a result, millions of cars on the road could be at risk. The proprietary nature of these systems complicates efforts to determine the exact brands and models impacted, as well as the specific versions of BlueSDK used. Despite the ease of executing the “one-click” PerfektBlue exploit, the requirement of Bluetooth access limits its effectiveness to approximately 30 feet and can only be carried out while the car is operational.