Serious Flaws in the Bluetooth Protocol Put Devices at Risk of RCE Attacks
Using OpenSynergy’s BlueSDK framework, security researchers have revealed a major collection of Bluetooth vulnerabilities known as “PerfektBlue” that impact millions of cars and other devices.
Only device pairing is necessary to initiate successful attacks, as the vulnerabilities can be chained together to achieve remote code execution (RCE Attacks) with little user interaction.
Bluetooth Protocol Flaws
The OpenSynergy BlueSDK Bluetooth stack, a framework extensively used in the automobile industry, has four unique vulnerabilities that the PerfektBlue attack takes advantage of.
| CVE ID | Description | CVSS Score | Severity |
| CVE-2024-45434 | Use-After-Free in AVRCP service | 8.0 | Critical |
| CVE-2024-45431 | Improper validation of the L2CAP channel’s remote CID | 3.5 | Low |
| CVE-2024-45433 | Incorrect function termination in RFCOMM | 5.7 | Medium |
| CVE-2024-45432 | Function call with incorrect parameter in RFCOMM | 5.7 | Medium |
Researchers have proven that major manufacturers, including Mercedes-Benz AG, Volkswagen, and Skoda, are impacted, and they have found that the weakness affects mobile phones and other portable devices in addition to automotive applications.
The attack is especially risky for in-vehicle infotainment (IVI) systems because it only takes a single click from the user to be abused over-the-air.
Once successfully exploited, attackers can acquire personal phonebook information, capture audio inside automobiles, monitor GPS locations, and perhaps migrate laterally to other electronic control units (ECUs) connected to the vehicle’s network.
Memory corruption and logical flaws make up the PerfektBlue attack chain, which can be coupled for maximum effect.
Due to the lack of source code access, the PCA Security Assessment Team discovered these vulnerabilities after examining generated Bluetooth executables based on the BlueSDK on testing devices.
Proof-of-concept attacks were utilized to validate the vulnerabilities on three distinct infotainment systems: Skoda’s MIB3 system, which is found in Superb model lines; Mercedes-Benz NTG6 head units; and Volkswagen’s MEB ICAS3 system, which is used in ID model cars.
OpenSynergy was initially notified of the vulnerabilities in May 2024, and by September 2024, the corporation had confirmed the problems and created patches.
Patch distribution has been slowed down by the intricate automobile supply chain, though, and as late as June 2025, some original equipment manufacturers (OEMs) had yet to get patches.
Despite OpenSynergy’s patch availability, at least one unknown OEM reported they never got vulnerability notifications or updates from their suppliers, highlighting communication issues throughout the automotive supply chain.
Users and organizations should prioritize system updates when they become available in order to defend against PerfektBlue attacks.
Although it may affect device operation, completely turning off Bluetooth as a preventative precaution can stop exploitation right away. For detailed instructions on available security updates for their infotainment systems, car owners can get in touch with their manufacturers.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
AI Hiring Tool Breaches Millions of Data with Password ‘123456’: McDonald’s Data Breach
About Author
English