Researchers uncover a chain of flaws in a widely used automotive Bluetooth stack, exposing infotainment systems to remote compromise
In July 2025, cybersecurity researchers disclosed PerfektBlue, a set of four vulnerabilities (CVE-2024-45431 to -45434) found in OpenSynergy’s BlueSDK, a Bluetooth stack widely integrated into modern infotainment systems. The flaws affect millions of vehicles across brands including Volkswagen, Mercedes-Benz, and Skoda, enabling attackers to execute malicious code over Bluetooth Classic connections.
Attack Path and Impact
PerfektBlue can only be exploited at close range, requiring the attacker to be within 5-7 meters of a target vehicle and establish Bluetooth pairing. This limits the possibility of large-scale exploitation; however, a successful attack would open the IVI system to the hacker(s), leaking data such as:
- GPS data & Vehicle location
- Listening through in-car microphones
- Contact lists & communication logs
Safety-critical functions like braking and steering remain segmented. Yet, as past incidents (e.g., the 2015 Jeep Cherokee hack) have shown, weak network isolation could allow lateral movement if additional vulnerabilities exist.
Root Causes in Bluetooth Stack Design
PerfektBlue includes one memory corruption flaw and three logic-level vulnerabilities stemming from protocol mismanagement. Combined, they create a pathway to remote code execution once pairing succeeds.
The flaws illustrate ongoing issues in Bluetooth stack security:
- Multi-layer protocols such as L2CAP, RFCOMM, and AVRCP handle vast amounts of untrusted data.
- Implementations in C heighten memory safety risks.
- The wireless and real-time nature of Bluetooth complicates fuzz testing, letting subtle bugs persist across generations.
Delays in Fixing and Deployment
The vulnerabilities were first reported in May 2024, and a patch was issued by September 2024. Yet disclosure did not occur until July 2025, largely because automakers lagged in deploying updates.
Challenges included:
- Complex supply chains with limited visibility on software components.
- No software bills of materials (SBOMs)-thus OEMs were not aware that they even depended on BlueSDK.
- Highly manual service updates rather than OTA.
Wider Implications and Next Actions
As long as vehicle safety systems remain isolated, infotainment are not benign to breaches. Attackers could track drivers, eavesdrop on conversations, and steal sensitive data, or in poor circumstances, pivot to other systems if the segmentation is weak.
As a countermeasure, experts advised the automakers to:
- Consider Bluetooth stacks as high-value attack surfaces.
- Standardize the use of SBOMs so that the third-party software can be identified and tracked.
- Give priority to OTA update pipelines to reduce patch deployment delays.
- Integrate protocol fuzzing and binary analysis in the development lifecycles.
PerfektBlue is a reminder that connected vehicles remain vulnerable to wireless exploits. Without stronger defenses and adoption of patches faster, the automotive industry is repeating the same mistakes of past cybersecurity lapses.
(This article has been adapted and modified from content on Keysight Technologies.)
