BleepingComputer

PerfektBlue Bluetooth flaws impact Mercedes, Volkswagen,...

Four vulnerabilities dubbed PerfektBlue and affecting the BlueSDK Bluetooth stack from OpenSynergy can be exploited to achieve remote code execution and potentially allow access to critical element...

Has anyone gotten (as this is recent, can anyone find/get) updates from VW/Skoda to patch this vulnerability?

In short:

"Four vulnerabilities dubbed PerfektBlue and affecting the BlueSDK Bluetooth stack from OpenSynergy can be exploited to achieve remote code execution and potentially allow access to critical elements in vehicles from multiple vendors, including Mercedes-Benz AG, Volkswagen, and Skoda."

The vulnerability was found in late 2024 and then reported to VW Group and other carmakers which use the vulnerable software; public disclosure was only made recently as it took too f*cking long for manufacturers to bubble this up (down?) through their supply chains.

It is unclear to me exactly which cars are affected, but at a minimum a Superb with a MIB3 head unit was included in the demonstration - a remote, unauthenticated attacker was able to get full administrative control of the car's computers.

Physical proximity (say, within less than 10m) is required; human interaction is NOT required for some of the attacks; and sometimes the car doesn't even have to be on for the attack to be able to be carried out.

Vulnerabilities like this are usually more proof-of-concept than real-world risk for typical drivers, but this is one (as a lifetime infosec person) that I'd prefer to patch...

Surely the risk to you or your car is miniscule? Or am I missing something

I explicitly stated that these things usually are not much real-world risk. But yes you are missing something - since this allows a complete takeover of the car computer systems, it's possible that it could be used for theft, and it's almost certain to be used for mischief. (People suck, basically). So since this is a "set up a device to carry out the attack, walk through a parking garage seeing how many cars I can muck up" vulnerability, yes, it would be better to get it patched the next time each of us happen to be taking our cars to a dealer/service shop.

1 minute ago, skomaz said:

Surely the risk to you or your car is miniscule? Or am I missing something

Maybe worry for those with more modern VW Group vehicles / Skoda are OTA updates.

If anything is liable to brick your vehicle it is these.

Be that as it may, as this did affect at least a Superb III, our not-entirely-so-modern vehicles may be vulnerable, and my original question stands, about whether anyone has/can get their Skoda/VW dealer to admit that an update is available and to offer to apply it.

For example, as this is a security vulnerability, I would expect it to be offered without cost regardless of warranty status.

(I've just called a Skoda workshop to ask; I'll report back here when I hear from them).

4 minutes ago, Ootohere said:

Maybe worry for those with more modern VW Group vehicles / Skoda are OTA updates.

If anything is liable to brick your vehicle it is these.

It is a huge worry for Palestinians driving VW,s, or maybe Chinese people in the UK.

'They are watching you and can see you.!'

21 minutes ago, JayLibove said:

I explicitly stated that these things usually are not much real-world risk. But yes you are missing something - since this allows a complete takeover of the car computer systems, it's possible that it could be used for theft, and it's almost certain to be used for mischief. (People suck, basically). So since this is a "set up a device to carry out the attack, walk through a parking garage seeing how many cars I can muck up" vulnerability, yes, it would be better to get it patched the next time each of us happen to be taking our cars to a dealer/service shop.

Think I'll take the risk on that as I'm not that paranoid - there's probably more chance of my vehicle being ballsed up by a dealer installing software updates than of someone deciding to 'hack' a base spec Kodiaq IMHO. And lets face it - we're exposed to tracking and hacking wherever we are these days...

Apparently VAG commenced investigating as soon as they were told.

Here is what they told Bleeping Computer.

"BleepingComputer has contacted the three automakers asking if they pushed OpenSynergy's fixes. A statement from Mercedes was not immediately available and Volkswagen said that they started investigating the impact and ways to address the risks immediately after learning about the issues.

"The investigations revealed that it is possible under certain conditions to connect to the vehicle's infotainment system via Bluetooth without authorization," a Volkwagen spokesperson told us.

The German car maker said that leveraging the vulnerabilities is possible only if several conditions are met at the same time:

• The attacker is within a maximum distance of 5 to 7 meters from the vehicle.

• The vehicle's ignition must be switched on.

• The infotainment system must be in pairing mode, i.e., the vehicle user must be actively pairing a Bluetooth device.

• The vehicle user must actively approve the external Bluetooth access of the attacker on the screen.

Even if these conditions occur and an attacker connects to the Bluetooth interface, "they must remain within a maximum distance of 5 to 7 meters from the vehicle" to maintain access, the Volkswagen representative said."

Thank you @Aldfort , that's very practical information. So, for VAG cars at least, the attack surface is very limited (must be in pairing mode, requires interaction by the authorized user of the car to approve the new pairing request).