Researchers Uncover Key Vulnerabilities in Automotive Bluetooth Systems

Key Takeaways

Four critical vulnerabilities in OpenSynergy’s BlueSDK Bluetooth stack could let attackers infiltrate millions of vehicles, including models from Mercedes-Benz, Volkswagen, and Skoda.
Exploitation requires proximity to the target vehicle and may allow unauthorized access to sensitive systems such as GPS and audio recording.
While patches were developed, challenges in distributing updates through complex automotive supply chains have delayed fixes for some manufacturers.

Significant Vulnerabilities Identified in Automotive Bluetooth Systems

Cybersecurity experts have discovered four severe vulnerabilities, collectively known as PerfektBlue, in OpenSynergy’s BlueSDK Bluetooth stack. This stack is widely used in automotive systems, impacting popular manufacturers like Mercedes-Benz, Volkswagen, and Skoda. A fourth, unnamed manufacturer also utilizes this technology.

The vulnerabilities expose a growing risk for connected vehicles, particularly as Bluetooth-enabled infotainment systems become standard. Researchers indicated that these vulnerabilities could be exploited in an interconnected chain, allowing attackers to gain unauthorized access to vehicle systems via Bluetooth.

To exploit these flaws, an attacker must be within Bluetooth range of a target vehicle and successfully pair with its infotainment system. The pairing procedure may vary between manufacturers—some require user interaction, while others may not.

Among the vulnerabilities is a critical use-after-free flaw in the Advanced Audio/Video Remote Control Profile (AVRCP) service (CVE-2024-45434) with a CVSS score of 8.0. Additionally, three other flaws pertain to improper validation and incorrect handling of functions within the Logical Link Control and Adaptation Protocol (L2CAP) and RFCOMM protocols.

Researchers conducted successful tests on selected infotainment systems, including Mercedes-Benz’s NTG6, Volkswagen’s MEB ICAS3, and Skoda’s MIB3, demonstrating their ability to exploit these vulnerabilities. The findings draw attention to the complexities of automotive cybersecurity; while infotainment systems are designed to be separate from critical vehicle controls, the actual effectiveness of this separation varies based on each manufacturer’s architecture.

If exploited, attackers could potentially access sensitive features like GPS tracking and audio recording. However, the extent of access would depend on other vulnerabilities and the vehicle’s specific network setup.

PCA Cyber Security first reported the vulnerabilities to OpenSynergy in May 2024, which acknowledged the issues and issued patches by September 2024. Yet, the intricate nature of automotive supply chains has complicated the distribution of these updates, with some manufacturers still lacking necessary fixes as late as June 2025. This delay spurred researchers to make the findings public while concealing the identity of the fourth manufacturer.

Proof-of-concept demonstrations successfully gained reverse shell access to target systems, allowing remote command execution. These tests were performed on firmware versions from 2020 to 2023, suggesting that even older firmware might be vulnerable.

For further details on these vulnerabilities, additional technical information is available on PCA Cyber Security’s website.

The content above is a summary. For more details, see the source article.