This Bluetooth Exploit Can Hack a Mercedes, Volkswagen — No Tools, Just a Pairing Request

A set of four Bluetooth vulnerabilities dubbed “PerfektBlue”, discovered by researchers at PCA Cyber Security, expose a critical weakness in the BlueSDK Bluetooth stack developed by OpenSynergy. This stack is integrated into millions of vehicles via their In-Vehicle Infotainment (IVI) platforms.

The flaws — classified under CVE-2024-45431 to CVE-2024-45434 — allow attackers to execute arbitrary code remotely, access driver data, and potentially pivot into internal vehicle networks. While patches were released in late 2024, incomplete OEM adoption has left a wide exposure window into 2025.

Who Is Affected?

Confirmed Vehicle Models:

• Volkswagen ID.4 – ICAS3 IVI system
• Mercedes-Benz – NTG6 platform
• Skoda Superb – MIB3 infotainment
• Fourth unnamed OEM – to be disclosed at a November 2025 security conference

Technical Analysis of Each Vulnerability

CVE-2024-45434 – Use-After-Free in AVRCP (High Severity)

• Component: AVRCP (Audio/Video Remote Control Profile)
• Bug Type: Use-after-free
• Impact: Full Remote Code Execution (RCE)
• Attack Prerequisites: Valid paired device or accepted pairing

Exploitation Flow:

1. Attacker sends specially crafted AVRCP “Play” command post-pairing.
2. The command triggers a double-free or dangling pointer in memory.
3. The attacker forces reuse of stale memory, overwriting the function pointer table.
4. The overwritten pointer redirects execution to shellcode (e.g., netcat reverse shell).

Real-World Example:

# Paired device sends crafted AVRCP packet with rogue opcode
bluetoothctl > connect AA:BB:CC:DD:EE:FF
# Buffer overrun triggers shell execution in /tmp/

CVE-2024-45431 – L2CAP CID Mismatch (Low Severity)

• Component: L2CAP (Logical Link Control and Adaptation Protocol)
• Bug Type: Input validation flaw
• Impact: Denial of Service, Setup for Chaining Exploits

Exploitation Flow:

1. The attacker sends a malformed L2CAP packet with an invalid Channel ID.
2. The BlueSDK L2CAP handler misroutes it or crashes the connection handler.
3. Used as a reliability buster or to set up heap grooming for follow-up exploits.

Real-World Example:

from bluetooth import *
sock = BluetoothSocket(L2CAP)
sock.connect(("target_mac", 0x1001))  # invalid CID triggers malformed response

CVE-2024-45432 – Parameter Tampering in RFCOMM (Medium Severity)

• Component: RFCOMM (Serial Port Emulation)
• Bug Type: Parameter corruption
• Impact: Limited remote command injection

Exploitation Flow:

1. Attacker crafts RFCOMM control packet with rogue baud rate / signal flags.
2. Misaligned internal structures are passed to function calls.
3. Depending on heap layout, this can trigger arbitrary memory overwrite or command injection.

Real-World Use Case:

• Trigger shell commands passed to debug consoles used by engineers.
• Elevate from “media user” to “debug shell”.

CVE-2024-45433 – Unchecked Return in RFCOMM Disconnect (Medium Severity)

• Component: RFCOMM
• Bug Type: Faulty cleanup logic
• Impact: Buffer overrun → arbitrary code execution

Exploitation Flow:

1. Attacker repeatedly connects/disconnects with abnormal flags.
2. Function fails to correctly zero-out buffers post-disconnect.
3. Residual data allows buffer overflow during a reconnect phase.

Scenario:

Attacker exploits this to inject a memory scanner that exfiltrates pairing keys, GPS logs, or contacts from the IVI platform.

Attack Scenario: Full PerfektBlue Chain

Step	Description
1️⃣ Initial Access	Attacker pairs with vehicle using malicious Bluetooth adapter. In some vehicles, this is auto-approved or one-click approved.
2️⃣ L2CAP Destabilization	CVE-2024-45431 used to manipulate buffer state or crash handler briefly.
3️⃣ RFCOMM Exploit	CVE-2024-45432/33 used to execute rogue commands or overwrite function logic.
4️⃣ RCE via AVRCP	Final payload delivered via CVE-2024-45434, launching shell access.
5️⃣ Post-Exploitation	Attacker pivots: dump GPS logs, listen via mic, inspect CAN-bus interface.

Realistic Threat Models

• Parking Lot Attacks: Attacker waits near dealership, shopping mall, or charging station.
• Drive-by Exploits: During traffic stops or gas stations, Bluetooth connection range can enable pairing in seconds.
• Targeted Stalking: Attacker installs rogue device in vehicle with short-term access (valet parking, service garage).
• Fleet Espionage: Attack used to siphon data from corporate or governmental vehicles.

Broader Security Reflections

1. Infotainment ≠ Harmless

The misconception that infotainment is “air-gapped” from critical vehicle subsystems has been proven incorrect by:

• CAN-adjacent messaging bridges
• Debug interfaces (UART, JTAG) exposed in firmware
• Shared memory buffers with GPS, modem, and voice modules

2. Supply Chain Obscurity Is a Risk Multiplier

• OpenSynergy’s BlueSDK is closed source and governed by NDAs, leaving OEMs blind to embedded component vulnerabilities.
• Lack of SBOM (Software Bill of Materials) transparency delayed patch response by 6–9 months for some vendors.

Mitigation & Detection Guidance

For OEMs:

• Apply BlueSDK 2024.09+ patch immediately.
• Separate media stack from telematics/critical systems using microkernel or hypervisor design.
• Use Secure Boot and verified firmware update chains.
• Enforce manual approval for all Bluetooth pairing attempts.

For Blue Teams / SOCs:

• Monitor IVI logs for:
  • Repeated RFCOMM connects/disconnects
  • Unexpected AVRCP commands
  • Shell process creation
• Implement Bluetooth protocol fuzzers in CI pipelines.
• Segment debug ports from production-ready builds.

What’s Next?

• PCA Cyber Security plans to release:
  • Full exploit scripts under a responsible disclosure framework.
  • Fourth OEM identity at VehicleSecCon 2025 in November.
  • Technical paper on “Automotive Protocol Stack Exploitation.”

The PerfektBlue flaws reveal a hidden risk layer in automotive cybersecurity — one where Bluetooth stacks, long considered secondary, now serve as gateways to embedded systems.