An international team at PCA Cyber Security has disclosed PerfektBlue, a quartet of memory-corruption flaws within OpenSynergy BlueSDK, the Bluetooth stack embedded in head-units from at least four global automakers. Chained together, the bugs hand an attacker within radio range a one-click path to remote code execution (RCE) on in-vehicle infotainment (IVI) systems from Mercedes-Benz, Volkswagen, Škoda, and an unnamed fourth OEM.
The discovered vulnerabilities include the following CVEs:
| CVE | Component | CVSS v3.1 | Description |
| 2024‑45434 | AVRCP | 8.0 | Use‑After‑Free during media‑control handling |
| 2024‑45431 | L2CAP | 3.5 | Improper validation of remote Channel ID |
| 2024‑45433 | RFCOMM | 5.7 | Incorrect function termination |
| 2024‑45432 | RFCOMM | 5.7 | Function call with wrong parameter |
Patches shipped in September 2024, four months after responsible disclosure.
Researchers were able to use the exploit chain to execute wirelessly:
- Live GPS tracking
- Hot‑miking of cabin audio
- Exfiltration of the paired‑device phonebook
- Lateral movement onto internal vehicular networks, potentially all the way to the CAN bus and safety‑critical ECUs.
In April 2025, the same team demonstrated a complete remote takeover of a Nissan Leaf electric vehicle at Black Hat Asia. Their approach began with Bluetooth exploitation to infiltrate the internal network, followed by bypassing secure boot processes and establishing a covert command-and-control channel over DNS.
“By compromising an independent communication CPU, we could interface directly with the CAN bus, which governs critical body elements, including mirrors, wipers, door locks, and even the steering,” the researchers explained.
CAN segmentation varies by manufacturer. Some isolate IVI traffic behind a secure gateway, while others still share a physical CAN segment that trusts diagnostic messages.
Vendor Response
Volkswagen, the only OEM to comment publicly on this recent Bluetooth vulnerability, insists PerfektBlue is “restricted to infotainment functions.” A spokesperson noted that exploitation requires the target vehicle to be in pairing mode, the driver to approve the pairing request, and the attacker to remain within ~7 meters. Nevertheless, VW is issuing OTA and dealer‑installed patches and urges owners to verify pairing codes before acceptance.
Security experts counter that while Bluetooth may advertise a 7-meter range, commodity directional antennas can routinely achieve 100–200 meters of coverage.
Likewise, user-interaction roadblocks can disappear when cars are part of corporate or government fleets, as fleet managers often enable automatic pairing for telematics.
As organizations increasingly rely on Bluetooth-enabled devices—from corporate laptops to IoT sensors—the wireless airspace becomes an invisible but vulnerable attack surface. Traditional network security tools focus on wired connections and digital traffic, leaving RF communications largely unmonitored.
The PerfektBlue vulnerabilities demonstrate several key lessons for security professionals:
- Proximity-Based Threats Are Real: Attackers no longer need physical access or network credentials. Being within wireless range creates opportunities for exploitation.
- Bluetooth Represents a Persistent Risk: Despite security improvements, Bluetooth implementations continue to harbor vulnerabilities that can provide initial access to critical systems.
- Lateral Movement Through Wireless Channels: Once inside via Bluetooth, attackers can potentially access other networked systems, as demonstrated by the potential to reach CAN bus controls.
- Detection Challenges: Without proper RF monitoring, organizations cannot detect unauthorized Bluetooth devices attempting to pair with their systems or identify anomalous wireless behavior.
