In a significant automotive-related security disclosure, PCA Cyber Security researchers found PerfektBlue Bluetooth Vulnerabilities in the OpenSynergy BlueSDK Bluetooth stack. The vulnerabilities, which are popularly referred to as the PerfectBlue, could enable hackers to remotely launch malicious code within vehicles bearing the name of leading automakers like Mercedes-Benz, Volkswagen, and Skoda, as well as the fourth unspecified manufacturer.
Such Bluetooth-related weaknesses put millions of connected vehicles worldwide at risk of a significant cyber-attack, which is one of the most important vehicle security findings so far.
What are PerfektBlue Bluetooth Vulnerabilities?
PerfektBlue refers to a chain of memory corruption and logic flaws in the BlueSDK Bluetooth stack developed by OpenSynergy. When exploited in combination, these flaws allow an attacker within Bluetooth range to gain full remote code execution rights over a vehicle’s In-Vehicle Infotainment (IVI) system.
According to PCA Cyber Security, even though infotainment systems are usually segmented from critical vehicle controls, that separation often depends on the automaker’s internal architecture. In poorly segmented systems, the attacker can pivot from the infotainment system into deeper, sensitive zones — potentially reaching the engine or other critical components.
List of Identified Vulnerabilities in PerfektBlue
PCA researchers detailed four CVEs as part of the PerfectBlue exploit chain:
| CVE Code | Description | CVSS Score |
|---|---|---|
| CVE-2024-45434 | Use-After-Free in AVRCP service | 8.0 (High) |
| CVE-2024-45431 | Improper validation of the L2CAP channel’s remote CID | 3.5 |
| CVE-2024-45433 | Incorrect function termination in RFCOMM | 5.7 |
| CVE-2024-45432 | Function call with incorrect parameter in RFCOMM | 5.7 |
These four CVEs together make up the PerfektBlue Bluetooth Vulnerabilities discovered by PCA researchers. Each flaw targets different modules within the Bluetooth communication layer, and when combined, enables an attacker to execute arbitrary code remotely on vulnerable car systems.
Attack Requirements: Just Bluetooth Range
The attack does not need to physically touch the car. Any threat actor should simply come within the range of Bluetooth and should have the ability to pair up with the car’s infotainment system.
This is what makes PerfektBlue Bluetooth Vulnerabilities particularly dangerous for modern connected vehicles.
According to PCA, “The attack can be triggered over-the-air and amounts to a one-click exploit.” However, pairing behavior may vary across manufacturers — some may limit pairing requests, require user interaction, or disable Bluetooth pairing entirely. Still, the exploitability exists and is considered severe.
What Can an Attacker Do?
Once remote code execution is achieved on the IVI system, a range of malicious actions becomes possible:
- Track GPS location in real time
- Record conversations via the car’s microphone
- Access synced contact lists and call logs
- Move laterally into other vehicle systems.
- Potentially gain control of critical functions like the engine.
The level of impact ultimately depends on how securely the vehicle’s internal network is architected. Cars with weak network segmentation or unpatched software are at higher risk.
Patch Timeline & Disclosure
Those vulnerabilities were disclosed responsibly in May 2024, and the patches were released in September 2024. However, as with many automotive systems, patch adoption may take time, and many vehicles on the road today may still be vulnerable.
PCA Cyber Security emphasized:
“PerfektBlue allows an attacker to achieve remote code execution on a vulnerable device. It should be treated as a critical entry point into the targeted vehicle.”
Past Demonstrations of Vehicle Attacks
This is not the first time PCA Cyber Security has revealed car-related exploits. The company demonstrated a hack of a Nissan Leaf electric vehicle at Black Hat Asia 2024: they were able to remotely get around secure boot and hack into the vehicle, gaining access to the CAN bus system, the central nervous system of automobile vehicles.
Through the exploits of Bluetooth vulnerability, they created a channel of command and control (C2) via DNS, allowing them to be constantly in touch with the car. They could later control mirrors, wipers, door locks, and even the steering.
What is CAN Bus?
Controller Area Network (CAN) bus. The Controller Area Network (CAN) is a communication protocol in a vehicle that enables various Electronic Control Units (ECUs) to communicate. Hackers with access to the CAN bus can masquerade as valid parts and send fake signals, such as:
- “A valid key is present.”
- “Unlock all doors.”
- “Start the engine.”
PCA also highlighted a real-world scenario where attackers hide a rogue device (like a disguised speaker) that plugs into the vehicle’s CAN wiring. This device then mimics legitimate ECUs to unlock or even steal the car.
From Exploits to Fun (or Danger): Renault Clio as a Game Controller
In a related cybersecurity experiment, Pen Test Partners recently turned a 2016 Renault Clio into a Mario Kart-style game controller. By intercepting CAN bus signals, they successfully mapped steering, throttle, and braking controls to a Python-based gaming setup, demonstrating just how much control hackers can seize with access to CAN data.
Final Thoughts: Why PerfektBlue Should Not Be Ignored
As vehicles become more connected and software-driven, their attack surface continues to grow. Vulnerabilities like PerfektBlue show how something as seemingly harmless as a Bluetooth connection can be the launchpad for full system compromise.
If you’re in the automotive, IoT, or cybersecurity space, staying ahead of such vulnerabilities is not optional — it’s critical.
Note: This article is based on original reporting by The Hacker News.
Ahsan Ali is a technology blogger and the founder of Techzivo.com, a platform dedicated to delivering insightful and practical content for tech enthusiasts.He currently focuses on creating in-depth articles around cybersecurity, aiming to help readers stay safe and informed in the digital world. With a passion for emerging technologies, Ahsan plans to expand Techzivo’s coverage into other technology micro-niches such as AI, cloud computing, and digital privacy, offering valuable insights for a broader tech-savvy audience.