bluetooth vulnerabilities in vehicles

A critical security vulnerability exposing millions of vehicles to remote cyberattacks has emerged through flaws in a widely-deployed Bluetooth software component used across the automotive industry. The PerfektBlue attack targets OpenSynergy’s BlueSDK Bluetooth stack, exploiting vulnerabilities that allow hackers to remotely access car systems with minimal user interaction.

The attack affects major automotive manufacturers, including Mercedes-Benz NTG6 head units, Volkswagen’s MEB ICAS3 system in ID model vehicles, and Skoda’s MIB3 system in Superb model lines. An additional unnamed original equipment manufacturer has likewise confirmed vulnerability, highlighting the extensive reach of BlueSDK across automotive supply chains.

Major automotive brands including Mercedes-Benz, Volkswagen, and Skoda face widespread vulnerability exposure through compromised BlueSDK Bluetooth components.

The widespread impact stems from OpenSynergy’s prominent position as a Bluetooth stack provider, with customization and repackaging processes making it difficult to identify all affected vendors.

Exploitation requires specific conditions that limit immediate risk but create significant security concerns. Attackers must position themselves within five to seven meters of targeted vehicles, which must have ignition systems activated and infotainment systems in pairing mode. The attack typically requires user approval for external Bluetooth access, though some systems may pair without explicit confirmation, potentially allowing zero-click exploitation before authentication occurs.

Once successfully executed, the attack grants extensive capabilities to malicious actors. Hackers can achieve remote code execution on vehicle systems, access personal phonebook data, record audio from inside vehicles, and track GPS coordinates. The vulnerabilities also create potential for lateral movement within vehicle networks, theoretically allowing control over critical functions including steering, horn activation, and windshield wipers.

OpenSynergy received vulnerability reports in May 2024 and developed patches by September 2024, yet distribution has faced significant delays because of complex automotive supply chains. Volkswagen has acknowledged the investigation and risk mitigation efforts, while other manufacturers have not confirmed patch implementation.

Some original equipment manufacturers claim they have not received vulnerability notifications or patches, highlighting transparency issues in embedded software components. The most critical vulnerability, CVE-2024-45434, involves a use-after-free flaw in the AVRCP service with a CVSS score of 8.0.

The incident emphasizes growing cybersecurity challenges in connected vehicles, where privacy violations and safety risks converge through compromised infotainment systems that serve as gateways to more critical automotive control systems.

You May Also Like

When a Digital Picture Frame Became a Cybercriminal’S Gateway Into Millions of Homes

Your cherished family photos might be the gateway hackers use to infiltrate your home network. Digital picture frames hide a dangerous secret.