Time Table

This talk covers the PerfektBlue attack - a set of critical memory corruption and logic vulnerabilities found by Mikhail Evdokimov in BlueSDK Bluetooth stack that can be chained together to obtain over-the-air Remote Code Execution (RCE) on millions of vehicles manufactured by different vendors. You will be guided through the entire vulnerability research process, from the initial discovery to building a sophisticated exploitation chain to get RCE on multiple targets. The session includes an overview of Volkswagen, Mercedes-Benz, and Skoda IVI systems, followed by an introduction to the Bluetooth architecture. Further, we delve into the discovery and exploitation phases, describing how a UAF vulnerability can be turned into the Arbitrary Address Write (AAW) primitive, along with the memory leak via the logic bugs’ chain. After this, we put it all together to obtain the execution of arbitrary functions leading to RCE on IVI systems.