A new and critical security threat, named PerfektBlue, is exposing millions of vehicles to remote attacks via Bluetooth, targeting OpenSynergy’s BlueSDK framework.
This sophisticated attack chain leverages four vulnerabilities to achieve remote code execution with minimal user interaction, posing significant risks to automotive infotainment and control systems.
Researchers at PCA Cyber Security reported that PerfektBlue combines memory corruption and logic flaws within BlueSDK’s AVRCP, L2CAP, and RFCOMM protocols.
Exploitation enables attackers to access GPS data, record audio, extract personal information, and even move laterally to Electronic Control Units (ECUs).
The exploit chain affects millions of Mercedes-Benz, Volkswagen, and Škoda vehicles.
Tested proofs-of-concept confirmed successful attacks on Mercedes-Benz NTG6/NTG7, Volkswagen MEB ICAS3 (ID.4), and Škoda MIB3 (Superb) infotainment systems.
Attackers gain user-level privileges, such as phone or sint_sec_btapp permissions, within In-Vehicle Infotainment (IVI) systems.
PerfektBlue chains the following CVEs:
- CVE-2024-45434: Use-After-Free in AVRCP service (CVSS 8.0, Critical)
- CVE-2024-45431: Improper L2CAP channel CID validation (CVSS 3.5, Low)
- CVE-2024-45433: Incorrect function termination in RFCOMM (CVSS 5.7, Medium)
- CVE-2024-45432: Function call with incorrect parameter in RFCOMM (CVSS 5.7, Medium)
The attack starts by establishing a Bluetooth connection and exploiting varying pairing implementations among manufacturers.
After gaining a foothold through L2CAP and RFCOMM flaws, attackers exploit the critical Use-After-Free bug to execute arbitrary code.
OpenSynergy released fixes in September 2024. However, automotive supply chain delays left some manufacturers unpatched until June 2025.
This gap highlights serious challenges in securing the automotive software supply chain.
Mitigation measures include applying firmware updates, disabling Bluetooth when unnecessary, and enforcing network segmentation to block lateral movement from IVI systems.
Manufacturers are urged to validate Bluetooth stack implementations and strengthen vulnerability disclosure mechanisms to prevent similar incidents.
About Author
