Millions of vehicles and devices have been exposed by Bluetooth RCE (Remote Code Execution)!

Written By Peter Vogel

DarkReading.com reported that “Four vulnerabilities in a popular Bluetooth implementation can be chained together to enable remote code execution (RCE) in untold millions of vehicles and miscellaneous devices. "Blue SDK" is a Bluetooth protocol stack and software development kit (SDK). On May 17, 2024, researchers from PCA Cyber Security discovered a range of vulnerabilities in Blue SDK that, together, allowed them to remotely execute code in devices that rely on it for Bluetooth connectivity. They called their exploit chain "PerfektBlue."”  The July 11, 2025 article entitled "350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE” (https://www.darkreading.com/vulnerabilities-threats/350m-cars-1b-devices-1-click-bluetooth-rce) included these comments about the “The PerfektBlue Exploit”:

The researchers counted four bugs in Blue SDK, labeled CVE-2024-45431 through CVE-2024-45434. They vary in criticality, with the former receiving a "low" 3.5 out of 10 rating in the Common Vulnerability Scoring System, and the latter a "high" 8.0.

Like any Bluetooth hack, the one major hurdle in actually exploiting these vulnerabilities is physical proximity. An attacker would likely have to position themselves within around 10 meters of a target device in order to pair with it, and the device would have to comply. Because Blue SDK is merely a framework, different devices might block pairing, limit the number of pairing requests an attacker could attempt, or at least require a click to accept a pairing.

This is a point of contention between the researchers and Volkswagen. The car manufacturer told Bleeping Computer that the exploit relies on five highly specific conditions:

  • The attacker is within a maximum distance of 5 to 7 meters from the vehicle.

  • The vehicle's ignition must be switched on.

  • The infotainment system must be in pairing mode — i.e., the vehicle user must be actively pairing a Bluetooth device.

  • The vehicle user must actively approve the external Bluetooth access of the attacker on the screen.

  • The attacker must remain within that 5- to 7-meter maximum distance in order to maintain access to the vehicle.

Mikhail Evdokimov, senior security researcher of PCA, clarified that some of these conditions are not accurate.

"Usually, in modern cars, an infotainment system can be turned on without activating the ignition. For example, in the Volkswagen ID.4 and Skoda Superb, it's not necessary," he says, though the case may vary vehicle to vehicle. And while initial access does require close physical proximity, an attacker could use PerfektBlue to plant remote access malware, enabling them to persist over a network connection at any distance.

Even the pairing mode precondition is not cut and dry. PCA's Cyber Security's Security Assessment team told Dark Reading in a statement that "it depends on a car. In the case of the Mercedes-Benz NTG6, it's true. However, for the Volkswagen ID.4 and Skoda Superb, the attacker can initiate the pairing process remotely, that doesn't require a user to put the infotainment system in pairing mode."

VERY BAD NEWS!

Peter Vogel
Next

No surprise that copyrighted books are fair use for AI training!