"PerfektBlue" Bluetooth Flaws Leave Millions Of Cars At Risk

Due to a set of newly discovered flaws, vehicles from major car brands like Mercedes-Benz, Volkswagen, and Škoda may be vulnerable to remote attacks via Bluetooth. Researchers have identified a group of security issues, collectively named "PerfektBlue", that could allow hackers to remotely take control of certain vehicle systems with minimal interaction from the driver.

These vulnerabilities, which stem from a Bluetooth software stack known as Blue SDK developed by German company OpenSynergy, have raised serious concerns across the automotive industry, possibly leaving millions of cars vulnerable to attack.

OpenSynergy released a short statement regarding the discovery of the vulnerabilities, stating,

OpenSynergy was notified In May 2024 by PCA Cyber Security (formerly PCAutomotive) about a couple of potential vulnerabilities (named PerfektBlue) in Blue SDK.

We are pleased to confirm that corrections were applied and fixed the potential vulnerabilities, and relative patches were supplied to our customers in September 2024.

PerfektBlue refers to four security flaws discovered in the Blue SDK software, commonly used in car infotainment and telematics systems. This software enables Bluetooth communication between vehicles and external devices like smartphones. This allows drivers to take calls, stream music, or access apps through the car's dashboard.

In summary, the four vulnerabilities are:

• CVE-2024-45434 (high severity) – use-after-free in the AVRCP service for the Bluetooth profile that allows remote control over media devices
• CVE-2024-45431 (low severity) – improper validation of an L2CAP ((Logical Link Control and Adaptation Protocol)) channel's remote channel identifier (CID)
• CVE-2024-45433 (medium severity) – incorrect function termination in the Radio Frequency Communication (RFCOMM) protocol
• CVE-2024-45432 (medium severity) – function call with incorrect parameter in the RFCOMM protocol

Security researchers from security firm PCA Cybersecurity found that attackers can exploit flaws in this system to run malicious code on the car's head unit—the central control system of the vehicle's entertainment and connectivity features. Even more concerning is that the attack can be carried out wirelessly without physical access to the car.

PerfektBlue in Practice

The exploit begins with a hacker connecting Bluetooth to a nearby vehicle. Once the connection is established, the attacker can exploit the flaws in the Blue SDK to install and run unauthorized code on the vehicle's system.

In many cases, the attack requires only minimal interaction from the driver, such as accepting a Bluetooth pairing request. This makes it especially dangerous in public or urban areas, where cars are often parked within range of attackers' devices.

Once inside the system, the hacker could theoretically take control of infotainment features, monitor communications, or pivot toward more critical vehicle systems, depending on how the manufacturer integrated Bluetooth with other onboard components.

So far, the vulnerabilities are confirmed to affect:

• Mercedes-Benz
• Volkswagen
• Škoda

These car manufacturers use OpenSynergy's Blue SDK in various models, often within the infotainment systems. While not all vehicles from these brands are necessarily at risk, many models built in the last several years may contain the vulnerable software.

Unfortunately, exact model lists have not yet been released publicly, and it remains unclear how widely the vulnerable software has been deployed. Some carmakers were unaware of the issue until the research findings were disclosed.

It is important to note that patches have been made available. OpenSynergy acknowledged the issues in June 2024 and released security fixes in September 2024. These patches correct the software flaws in the Bluetooth stack and are intended for vehicle manufacturers to implement through firmware updates.

However, many vehicles are still running unpatched versions of the software. Automakers sometimes only begin to evaluate and distribute the patches, exposing many cars.

Automotive software updates are not as simple as smartphone app updates. Car manufacturers must test patches carefully to avoid unintended consequences, especially when safety and reliability are at stake. Firmware updates for cars are often slow to roll out, and in many cases, they require dealership appointments or over-the-air update mechanisms that not all models support.

If you drive a car from Mercedes, Volkswagen, or Škoda, you can take the following steps to mitigate possible exploitation:

• Check with your dealership or the manufacturer's website to see if your model is affected.
• Ask whether a software or firmware update is available for your vehicle's infotainment system.
• Limit Bluetooth pairings to only trusted devices, and avoid accepting unsolicited Bluetooth requests.
• Be cautious in public areas, especially where vehicles are parked closely together, and Bluetooth range could be used maliciously.

The average driver is not in immediate danger of having their vehicle hijacked. However, the vulnerabilities are real, and the potential for misuse does exist, particularly by skilled attackers who could build automated exploit tools. If left unpatched, these flaws could become part of broader cyberattacks that target vehicles in fleets or urban settings, where mass Bluetooth scanning could expose dozens of cars quickly.

Bluetooth vulnerabilities in cars are not just technical issues but also safety and privacy concerns. As modern vehicles become increasingly connected, the line between infotainment and essential driving functions continues to blur. Flaws like those in PerfektBlue illustrate how a seemingly minor software bug can open doors to much larger risks.

Moreover, the automotive industry still struggles to keep pace with cybersecurity threats. While the research community actively discloses issues like PerfektBlue, patch deployment remains inconsistent and slow.

PerfektBlue is a wake-up call for car manufacturers, regulators, and drivers alike. While Bluetooth technology makes driving more convenient and connected, it also introduces new pathways for attack. Timely updates, proactive manufacturer responses, and better consumer awareness are essential to keeping cars safe.

For now, drivers of affected vehicles should stay informed, limit unnecessary Bluetooth pairings, and ensure they receive all relevant updates as soon as they become available.