BleepingComputer reports that Volkswagen, Skoda, and Mercedes-Benz vehicles have had their OpenSynergy BlueSDK Bluetooth stack impacted by a quartet of low- to high-severity vulnerabilities that could be chained to facilitate a PerfektBlue attack leading to remote code execution and infotainment systems compromise.
All of the flaws which remain unfixed by many automakers despite OpenSynergy's release of patches in September could be leveraged to enable system manipulation, privilege escalation, and lateral movement, which could eventually result in GPS tracking, conversation eavesdropping, and phone contact access, according to PCA Cyber Security researchers, who reported PerfektBlue to impact another undisclosed OEM. Meanwhile, Volkswagen, which noted an ongoing investigation into the PerfektBlue flaws, said that exploitation would be successful only if attackers were within 5 to 7 meters of the targeted vehicle, the vehicle's ignition is on, and pairing mode is activated on the infotainment system. User approval of external Bluetooth access is also required to abuse the bugs, Volkswagen added.
All of the flaws which remain unfixed by many automakers despite OpenSynergy's release of patches in September could be leveraged to enable system manipulation, privilege escalation, and lateral movement, which could eventually result in GPS tracking, conversation eavesdropping, and phone contact access, according to PCA Cyber Security researchers, who reported PerfektBlue to impact another undisclosed OEM. Meanwhile, Volkswagen, which noted an ongoing investigation into the PerfektBlue flaws, said that exploitation would be successful only if attackers were within 5 to 7 meters of the targeted vehicle, the vehicle's ignition is on, and pairing mode is activated on the infotainment system. User approval of external Bluetooth access is also required to abuse the bugs, Volkswagen added.
