Bluetooth Flaws Pose Threat to Millions of Motor Vehicles, According to PerfektBlue
In July 2025, four vulnerabilities (CVE-2024-45431 to -45434) were disclosed in OpenSynergy's BlueSDK, a Bluetooth stack used in modern infotainment systems. These vulnerabilities affect millions of vehicles across brands like Volkswagen, Mercedes-Benz, and Skoda, according to recent reports.
The vulnerabilities enable attackers to execute malicious code over Bluetooth Classic connections, potentially granting hackers access to the in-vehicle infotainment (IVI) system. A successful attack would allow hackers to leak sensitive data such as GPS data, vehicle location, in-car microphone recordings, contact lists, and communication logs.
The flaws in the Bluetooth stack design include one memory corruption flaw and three logic-level vulnerabilities stemming from protocol mismanagement. Prioritizing over-the-air (OTA) update pipelines is recommended to reduce patch deployment delays, which were largely due to complex supply chains and limited visibility on software components in this case.
Integrating protocol fuzzing and binary analysis in development lifecycles is suggested as a countermeasure. The vulnerabilities highlight ongoing issues in Bluetooth stack security, including the handling of vast amounts of untrusted data, the use of C in implementations, and the complications of fuzz testing due to the wireless and real-time nature of Bluetooth.
PerfektBlue, as the vulnerabilities are known, can only be exploited at close range, within 5-7 meters of a target vehicle. However, the search results do not provide information about the specific automobile manufacturers affected by these vulnerabilities.
Experts advise automakers to consider Bluetooth stacks as high-value attack surfaces. The flaws in the BlueSDK serve as a reminder that connected vehicles remain vulnerable to wireless exploits, and faster adoption of patches is necessary to avoid repeating past cybersecurity lapses.
Moreover, the absence of software bills of materials (SBOMs) caused Original Equipment Manufacturers (OEMs) to be unaware of their dependence on BlueSDK, underscoring the importance of standardizing the use of SBOMs for easier identification and tracking of third-party software.
Service updates were highly manual rather than over-the-air (OTA), contributing to the delays in deploying patches. A patch for the vulnerabilities was issued by September 2024, but the delays in deployment highlight the need for improved update strategies in the automotive industry.
The vulnerabilities also raise concerns about the weak network isolation in modern vehicles, as safety-critical functions like braking and steering remain segmented, but a weak network isolation could allow lateral movement if additional vulnerabilities exist.
PerfektBlue is a stark reminder of the importance of cybersecurity in the connected world, particularly in the automotive sector. As vehicles become increasingly interconnected and reliant on software, the need for robust security measures will only grow.
