CybserSecurity News

Tag: Car Hacking

  • Your Car Is at Risk: New Flaw Grants Hackers Root Access to Apple CarPlay

    Researchers at Oligo Security have uncovered a vulnerability in Apple CarPlay that enables remote code execution with root privileges, granting attackers full control over a vehicle’s multimedia system. The flaw, registered as CVE-2025-24132, resides in the AirPlay protocol implementation within CarPlay.

    The issue affects AirPlay Audio SDK up to version 2.7.1, AirPlay Video SDK up to version 3.6.0.126, and the CarPlay Communication Plug-in up to release R18.1. The vulnerability was demonstrated at DefCon 33 during the presentation Pwn My Ride. Researchers showed that attackers could chain Bluetooth and Wi-Fi exploitation to penetrate a car’s system without driver interaction.

    Wireless CarPlay relies on a protocol chain: iAP2 over Bluetooth establishes network parameters, while AirPlay over Wi-Fi mirrors the iPhone screen. The researchers discovered that a Bluetooth radio alone was sufficient to trigger the simplified “Just Works” pairing mode. From there, an attacker could obtain the SSID and password for CarPlay’s hidden Wi-Fi network and exploit a stack buffer overflow in AirPlay, ultimately enabling code execution at the kernel level.

    Although Apple released patched SDKs on April 29, 2025, automotive manufacturers are notoriously slow to integrate such updates. For most models, remediation requires either a service center visit or manual installation via USB, leaving millions of vehicles exposed months after fixes were issued.

    The researchers refrained from disclosing full exploitation details to allow vendors time to adapt their firmware. However, they confirmed successful root access across multiple CarPlay implementations. Wireless connections pose the greatest concern: unlike wired CarPlay, they allow remote attacks if executed within the short device-discovery window during pairing.

    The fragmented automotive supply chain compounds the risk: carmakers, head-unit suppliers, middleware developers, and aftermarket integrators must each independently update SDKs, validate compatibility, and roll out firmware. While newer models with over-the-air update capability may receive patches faster, the majority of vehicles will remain vulnerable for an extended period.

    Experts recommend that companies relying on CarPlay in fleet operations audit their firmware versions and enforce strict update policies. Automakers and hardware vendors, meanwhile, are urged to accelerate SDK integration and streamline validation processes to minimize exposure.

  • PerfektBlue: Critical Bluetooth Flaws Expose Millions of Cars to Remote Hacks

    Four vulnerabilities within the Bluetooth stack BlueSDK, developed by OpenSynergy and collectively named PerfektBlue, pose a serious security threat to millions of vehicles. These flaws allow remote code execution on targeted devices and potentially grant access to critical components of automobiles manufactured by brands such as Mercedes-Benz, Volkswagen, and Skoda.

    The software flaws were discovered by experts at PCA Cyber Security, a firm specializing in the protection of automotive systems. The issues were reported to OpenSynergy in May 2024, and by June, the developer had confirmed their existence. Fixes were made available to clients in September of the same year. However, a significant number of automakers have yet to deploy the updated firmware, with at least one major manufacturer only recently becoming aware of the issue.

    The PerfektBlue attack can be executed through a chain of exploits that researchers were able to link together. In most cases, a single click by the user is sufficient to trigger the attack. The vulnerabilities are exploitable via Bluetooth connections, and in certain configurations, no user confirmation is required—merely a specific system setup.

    Although BlueSDK is extensively used in the automotive industry, its implementation spans other sectors as well, amplifying the potential scale of damage. PCA Cyber Security asserts that the vulnerabilities impact millions of devices and has demonstrated this in real-world scenarios: they successfully gained a reverse shell on vehicles including the Volkswagen ID.4 (ICAS3 system), Mercedes-Benz (NTG6), and Skoda Superb (MIB3), infiltrating through the infotainment systems.

    The most critical issues relate to the Bluetooth AVRCP profile and the RFCOMM protocol:

    • CVE-2024-45434 (High severity) — A use-after-free (UAF) flaw in the AVRCP service allows attackers to manipulate multimedia devices;
    • CVE-2024-45433 and CVE-2024-45432 (Medium severity) — Function termination errors and incorrect parameter handling in RFCOMM;
    • CVE-2024-45431 (Low severity) — Insufficient validation of the channel identifier in L2CAP.

    The research was conducted without access to the source code—analysts examined the compiled BlueSDK binary. According to the researchers, a successful attack could enable GPS tracking, eavesdropping on in-cabin conversations, access to the phonebook, and lateral movement across the vehicle’s internal network to reach other components.

    OpenSynergy has not disclosed the exact number of affected clients, citing the frequent customization and integration of BlueSDK across various systems, which complicates traceability. Volkswagen has acknowledged the vulnerability, while emphasizing that its exploitation requires multiple conditions to align: the attacker must be within 5–7 meters of the vehicle, the engine must be running, the system must be in pairing mode, and the user must manually confirm the connection.

    Volkswagen further assured that even in the event of a successful attack, critical control systems—such as steering, brakes, and the engine—are separately secured and isolated from the Bluetooth module.

    PCA Cyber Security also confirmed in June 2025 the presence of PerfektBlue in the systems of another automotive manufacturer who had not received a security advisory from OpenSynergy. The name of the company remains undisclosed, as it has not yet been granted sufficient time to respond. Full technical details of the vulnerabilities will be presented in November 2025 at a cybersecurity conference.

    As of now, Mercedes-Benz has not issued an official statement. Volkswagen, on the other hand, launched an internal investigation upon receiving the disclosure and announced its efforts to mitigate the threat. Nonetheless, the question of whether automakers are responding to such risks with appropriate urgency remains unresolved.