Cybersecurity researchers have discovered a set of four security flaws in OpenSynergy’s BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from different vendors.
The vulnerabilities, dubbed PerfektBlue, can be fashioned together as an exploit chain to run arbitrary code on cars from at least three major automakers, Mercedes-Benz, Volkswagen, and Skoda, according to PCA Cyber Security (formerly PCAutomotive). Outside of these three, a fourth unnamed original equipment manufacturer (OEM) has been confirmed to be affected as well.
“PerfektBlue exploitation attack is a set of critical memory corruption and logical vulnerabilities found in OpenSynergy BlueSDK Bluetooth stack that can be chained together to obtain Remote Code Execution (RCE),” the cybersecurity company said.
While infotainment systems are often seen as isolated from critical vehicle controls, in practice, this separation depends heavily on how each automaker designs internal network segmentation. In some cases, weak isolation allows attackers to use IVI access as a springboard into more sensitive zones—especially if the system lacks gateway-level enforcement or secure communication protocols.
The only requirement to pull off the attack is that the bad actor needs to be within range and be able to pair their setup with the target vehicle’s infotainment system over Bluetooth. It essentially amounts to a one-click attack to trigger over-the-air exploitation.
“However, this limitation is implementation-specific due to the framework nature of BlueSDK,” PCA Cyber Security added. “Thus, the pairing process might look different between various devices: limited/unlimited number of pairing requests, presence/absence of user interaction, or pairing might be disabled completely.”
The list of identified vulnerabilities is as follows –
- CVE-2024-45434 (CVSS score: 8.0) – Use-After-Free in AVRCP service
- CVE-2024-45431 (CVSS score: 3.5) – Improper validation of an L2CAP channel’s remote CID
- CVE-2024-45433 (CVSS score: 5.7) – Incorrect function termination in RFCOMM
- CVE-2024-45432 (CVSS score: 5.7) – Function call with incorrect parameter in RFCOMM
Successfully obtaining code execution on the In-Vehicle Infotainment (IVI) system enables an attacker to track GPS coordinates, record audio, access contact lists, and even perform lateral movement to other systems and potentially take control of critical software functions of the car, such as the engine.
Following responsible disclosure in May 2024, patches were rolled out in September 2024.
“PerfektBlue allows an attacker to achieve remote code execution on a vulnerable device,” PCA Cyber Security said. “Consider it as an entrypoint to the targeted system which is critical. Speaking about vehicles, it’s an IVI system. Further lateral movement within a vehicle depends on its architecture and might involve additional vulnerabilities.”
Earlier this April, the company presented a series of vulnerabilities that could be exploited to remotely break into a Nissan Leaf electric vehicle and take control of critical functions. The findings were presented at the Black Hat Asia conference held in Singapore.
“Our approach began by exploiting weaknesses in Bluetooth to infiltrate the internal network, followed by bypassing the secure boot process to escalate access,” it said.
“Establishing a command-and-control (C2) channel over DNS allowed us to maintain a covert, persistent link with the vehicle, enabling full remote control. By compromising an independent communication CPU, we could interface directly with the CAN bus, which governs critical body elements, including mirrors, wipers, door locks, and even the steering.”
CAN, short for Controller Area Network, is a communication protocol mainly used in vehicles and industrial systems to facilitate communication between multiple electronic control units (ECUs). Should an attacker with physical access to the car be able to tap into it, the scenario opens the door for injection attacks and impersonation of trusted devices.
“One notorious example involves a small electronic device hidden inside an innocuous object (like a portable speaker),” the Hungarian company said. “Thieves covertly plug this device into an exposed CAN wiring junction on the car.”
“Once connected to the car’s CAN bus, the rogue device mimics the messages of an authorized ECU. It floods the bus with a burst of CAN messages declaring ‘a valid key is present’ or instructing specific actions like unlocking the doors.”
In a report published late last month, Pen Test Partners revealed it turned a 2016 Renault Clio into a Mario Kart controller by intercepting CAN bus data to gain control of the car and mapping its steering, brake, and throttle signals to a Python-based game controller.
Update
In a statement shared with The Hacker News, Volkswagen said the identified issues exclusively concern Bluetooth and that neither is vehicle safety or integrity affected.
“The investigations revealed that it is possible under certain conditions to connect to the vehicle’s infotainment system via Bluetooth without authorization,” the company said.
“Interventions in vehicle functions beyond the infotainment system are not possible, e.g., no steering interventions, no interventions in driver assistance systems, or engine or brake functions. These are located in the vehicle on a different control unit, which is protected against external interference by its own security functions. There are also no indications of malicious exploitation in vehicles in the field.”
It also noted that exploitation of the vulnerabilities is only possible when several conditions are met simultaneously –
- The attacker is within a maximum distance of 5 to 7 meters from the vehicle
- The vehicle’s ignition must be switched on
- The infotainment system must be in pairing mode, i.e., the vehicle user must be actively pairing a Bluetooth device, and
- The vehicle user must actively approve the external Bluetooth access of the attacker on the screen
Even in scenarios where a threat actor is able to meet the aforementioned criteria and obtain access to the Bluetooth interface, they must remain within a maximum distance of 5 to 7 meters from the vehicle to access the described audio functions of the vehicle.
As a precautionary measure, vehicle users can safeguard against these attacks by checking the pairing data during the connection process and ensure the numbers match those displayed on their own device.
“Volkswagen is addressing the security gap with software updates, so vehicle users should definitely perform the offered software updates,” the spokesperson added. “In some cases, a visit to the workshop may also be necessary.”
(The story was updated after publication to include a response from Volkswagen.)
