Bluetooth weaknesses threaten the security of millions of automobiles, as indicated by PerfektBlue.
In July 2025, cybersecurity researchers disclosed a set of four critical vulnerabilities (CVE-2024-45431 to -45434) in OpenSynergy's BlueSDK, a Bluetooth stack used in modern infotainment systems. These flaws, if exploited, could enable attackers to execute malicious code over Bluetooth Classic connections.
The vulnerabilities were first reported in May 2024, and PerfektBlue, as the set is now known, includes one memory corruption flaw and three logic-level vulnerabilities stemming from protocol mismanagement. The flaws illustrate ongoing issues in Bluetooth stack security, including the handling of vast amounts of untrusted data, the use of C in implementations, and the complications of fuzz testing due to the wireless and real-time nature of Bluetooth.
Experts advise automakers to consider Bluetooth stacks as high-value attack surfaces, and they suggest integrating protocol fuzzing and binary analysis in development lifecycles to mitigate such risks.
The vulnerabilities affect millions of vehicles across brands including Volkswagen, Mercedes-Benz, and Skoda. However, as of 2025, no publicly available information exists about automakers using OpenSynergy's BlueSDK in their infotainment systems being exposed to the PerfektBlue vulnerabilities allowing malicious code execution via Bluetooth Classic connections.
One concerning aspect is that no software bills of materials (SBOMs) were available, making OEMs unaware of their dependence on BlueSDK. This underscores the importance of standardizing the use of SBOMs for third-party software identification and tracking.
The flaws create a pathway to remote code execution once pairing succeeds. However, PerfektBlue can only be exploited at close range, requiring the attacker to be within 5-7 meters of a target vehicle and establish Bluetooth pairing.
Delays in deploying updates were largely due to complex supply chains with limited visibility on software components. Priority should be given to OTA update pipelines to reduce patch deployment delays.
A successful attack would open the infotainment system to the hacker(s), leaking data such as GPS data, vehicle location, contact lists, and communication logs. Safety-critical functions like braking and steering remain segmented, but weak network isolation could allow lateral movement if additional vulnerabilities exist.
Service updates were highly manual rather than over-the-air (OTA). This, coupled with the complexity of the supply chain, highlights the need for improved security measures and update processes in the automotive industry.
Read also:
- User Data Analysis on Epic Games Store
- Rachel Reeves conducts a discussion with Scott Bessent and financial executives, focusing on investment matters
- Strategic approach to eco-friendly nickel production for electric vehicles in Europe
- Week 39/24 Highlights: Tesla CEO's visit, Robo-taxi buzz, Full Self-Driving study, Affordable electric cars, and European pricing less than €30,000
