Cars
Cars these days are effectively computers on wheels — making them targets for cybercriminals: theft, unauthorized activation of on-board equipment, remote braking and steering, and spying on drivers and passengers are all perfectly doable by the bad guys. But carrying out such attacks often requires either physical access to the vehicle or remote access to its telematics systems (that is, hijacking communications with the carmaker’s server over the cellular network). However, a recent study by PCA Cyber Security describes a new hacking method that targets the car’s infotainment system via Bluetooth. The four vulnerabilities in question — collectively named PerfektBlue — are unlikely to lead to widespread car thefts or hacks, but it’s still worth knowing about them and exercising caution.
Under the hood of PerfektBlue
If your car was made within the last 10 years, no doubt it lets you connect your smartphone via Bluetooth to make hands-free calls or listen to music. The infotainment system is a part of the head unit, and it uses a built-in Bluetooth chip and special software to work. The software of choice for many carmakers is OpenSynergy Blue SDK. According to its developers, Blue SDK is used in 350 million vehicles made by Ford, Mercedes-Benz, Skoda, Volkswagen, and others.
PCA Cyber Security discovered four vulnerabilities in Blue SDK (CVE-2024-45431, CVE-2024-45432, CVE-2024-45433, CVE-2024-45434) which, when used together, could allow an attacker to run malicious code in the system. To do so, they’d need to be connected to the car via Bluetooth, which means pairing a device. If successful, the attacker can send malicious commands to the car using the Audio/Video Remote Control Profile (AVCRP) for Bluetooth. This causes an error in the head unit’s operating system, giving the hacker the same Bluetooth permissions as the carmaker’s software. Armed with these permissions, the attacker can theoretically track the vehicle’s location, eavesdrop through the car’s built-in microphones, as well as steal data from the head unit, such as the victim’s address book. Depending on the digital architecture of the car, the CAN bus for communication between electronic control units (ECUs) may get compromised — allowing an intruder to take over essential functions such as braking.
Practical questions about PerfektBlue
How to spot and prevent this attack? This depends on how Bluetooth is implemented in your particular vehicle. In some rare cases, the in-car infotainment system may not require any driver/passenger confirmation at all — leaving Bluetooth open to third-party connections. If so, there’s no way to stop an attack (!). Most cars however require the driver to confirm a connection to a new device, so a driver will see an unexpected connection request. If the request is denied, the attack will fail. The car may even automatically deny connection if the driver has not explicitly enabled pairing mode in the settings. If that applies to your car, attackers will have a job on their hands.
How to determine if your car is vulnerable? Unfortunately, makers tend not to disclose information about vehicle components — let alone the software inside them. Therefore, the only reliable way is to contact a branded dealer or specialized car service where they can check the head unit and advise on whether new firmware is available that eliminates the vulnerabilities. The researchers themselves experimented (and successfully exploited the vulnerabilities) on the head units of a Volkswagen ID.4 (infotainment system: MEB ICAS3), a Mercedes-Benz (NTG6) and a Skoda Superb (MIB3).
How to protect your car and yourself? The best advice is to update the head unit firmware to a patched version. Although OpenSynergy released software updates back in September 2024, these must first be applied by the manufacturer of the head unit, and only then by the carmaker. The latter must also distribute the new firmware across its dealer network. Therefore, some vulnerable cars may still be lacking new firmware.
The second reliable method of protection is to disable in-car Bluetooth.
What’s the attack range? With standard Bluetooth hardware, the attack range is limited to 10 meters, but special amplifiers (range extenders) can extend this to 50–100 meters. If a vehicle is equipped with 4G cellular network technology, then after the first phase of the attack, which requires Bluetooth, threat actors can theoretically maintain control over the car via the cellular network.
Is it true the engine must be on for the attack to work? This limitation was reported by Volkswagen, but in practice almost all cars allow you to turn on the infotainment system together with Bluetooth while the ignition is off. Therefore, a running engine is not an attack precondition.
What should carmakers do to improve protection against such attacks? Car manufacturers should adopt the Secure by Design approach. Kaspersky, together with manufacturers of head units and automotive electronics, is creating a line of Cyber Immune solutions based on KasperskyOS that keep the system protected and running even if a vulnerable component is attacked. But given the long development and testing cycles in the automotive industry, it will be several more years before Cyber Immune cars hit the roads.
More case studies of car hacking through vulnerabilities in electronic systems:
Tips