 [Nate Nelson, Contributing Writer](/author/nate-nelson)July 11, 2025 5 Min Read  Source: Dmitrii Melnikov via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/vulnerabilities-threats/350m-cars-1b-devices-1-click-bluetooth-rce)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/vulnerabilities-threats/350m-cars-1b-devices-1-click-bluetooth-rce)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/vulnerabilities-threats/350m-cars-1b-devices-1-click-bluetooth-rce)[](https://www.reddit.com/submit?url=https://www.darkreading.com/vulnerabilities-threats/350m-cars-1b-devices-1-click-bluetooth-rce&title=350M%20Cars%2C%201B%20Devices%20Exposed%20to%201-Click%20Bluetooth%20RCE)[](mailto:?subject=350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20350M%20Cars%2C%201B%20Devices%20Exposed%20to%201-Click%20Bluetooth%20RCE%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fvulnerabilities-threats%2F350m-cars-1b-devices-1-click-bluetooth-rce) Four vulnerabilities in a popular Bluetooth implementation can be chained together to enable remote code execution (RCE) in untold millions of vehicles and miscellaneous devices.’Blue SDK’ is a Bluetooth protocol stack and software development kit (SDK). On May 17, 2024, researchers from PCA Cyber Security discovered a range of vulnerabilities in Blue SDK that, together, allowed them to remotely execute code in devices that rely on it for Bluetooth connectivity. They called their exploit chain ‘[PerfektBlue](https://perfektblue.pcacybersecurity.com/).’ The scope of affected systems is massive. The developer, OpenSynergy, proudly boasts on [its homepage](https://www.opensynergy.com/) that Blue SDK — and RapidLaunch SDK, which is built on top of it and therefore also possibly vulnerable — has been shipped in 350 million cars. Those cars come from companies like Mercedes-Benz, Volkswagen, and Skoda, as well as a fourth known but unnamed company. Since [Ford integrated Blue SDK](https://www.opensynergy.com/blue-sdk-rides-in-fords-android-based-ivi-system/) into its Android-based [in-vehicle infotainment (IVI) systems](https://www.darkreading.com/vulnerabilities-threats/6-infotainment-bugs-mazda-usbs) in November, Dark Reading has reached out to determine whether it too was exposed. Aside from just cars, though, OpenSynergy claims that Blue SDK touches more than 1 billion embedded devices around the globe, including in the consumer, mobile, industrial, and medical industries.The PerfektBlue Exploit———————–Related:[As Cyber-Insurance Premiums Drop, Coverage Is Key to Resilience](/vulnerabilities-threats/cyber-insurance-premiums-drop-coverage-key-resilience)The researchers counted four bugs in Blue SDK, labeled CVE-2024-45431 through CVE-2024-45434. They vary in criticality, with the former receiving a ‘low’ 3.5 out of 10 rating in the Common Vulnerability Scoring System, and the latter a ‘high’ 8.0. Like any Bluetooth hack, the one major hurdle in actually exploiting these vulnerabilities is physical proximity. An attacker would likely have to position themselves within around 10 meters of a target device in order to pair with it, and the device would have to comply. Because Blue SDK is merely a framework, different devices might block pairing, limit the number of pairing requests an attacker could attempt, or at least require a click to accept a pairing.This is a point of contention between the researchers and Volkswagen. The car manufacturer told [Bleeping Computer](https://www.bleepingcomputer.com/news/security/perfektblue-bluetooth-flaws-impact-mercedes-volkswagen-skoda-cars/) that the exploit relies on five highly specific conditions: * The attacker is within a maximum distance of 5 to 7 meters from the vehicle.* The vehicle’s ignition must be switched on.* The infotainment system must be in pairing mode — i.e., the vehicle user must be actively pairing a Bluetooth device.* The vehicle user must actively approve the external Bluetooth access of the attacker on the screen.* The attacker must remain within that 5- to 7-meter maximum distance in order to maintain access to the vehicle.Related:[SIM Swap Fraud Is Surging — and That’s a Good Thing](/vulnerabilities-threats/sim-swap-fraud-surging-good)Mikhail Evdokimov, senior security researcher of PCA, clarified that some of these conditions are not accurate.’Usually, in modern cars, an infotainment system can be turned on without activating the ignition. For example, in the Volkswagen ID.4 and Skoda Superb, it’s not necessary,’ he says, though the case may vary vehicle to vehicle. And while initial access does require close physical proximity, an attacker could use PerfektBlue to plant remote access malware, enabling them to persist over a network connection at any distance.Even the pairing mode precondition is not cut and dry. PCA’s Cyber Security’s Security Assessment team told Dark Reading in a statement that ‘it depends on a car. In the case of the Mercedes-Benz NTG6, it’s true. However, for the Volkswagen ID.4 and Skoda Superb, the attacker can initiate the pairing process remotely, that doesn’t require a user to put the infotainment system in pairing mode.’ Potential Consequences———————-In its published research, PCA noted that PerfektBlue could enable attackers to [track a vehicle via GPS](https://www.darkreading.com/vulnerabilities-threats/car-exploit-spy-drivers-real-time), record audio inside of the car, and steal personal data like phone contacts.Though they didn’t test it themselves, the researchers also indicated that an IVI breach could lead to threats to other, safety-critical systems. ‘You can consider PerfektBlue as an entry point to a vehicle’s internal infrastructure, composed of dozens of different modules and systems. With code execution in one of them, an attacker gains quite a large attack surface for further exploitation steps which eventually can lead to [compromise of a car’s critical components](https://www.darkreading.com/cyberattacks-data-breaches/cybercriminals-can-steal-your-car-novel-iot-hack),’ the company wrote in its statement.Related:[Browser Exploits Wane as Users Become the Attack Surface](/vulnerabilities-threats/browser-exploits-wane-users-become-attack-surface)Volkswagen, on the other hand, told reporters that PerfektBlue couldn’t affect deeper-lying systems in its vehicles, like steering and brake control, because of intervening security layers.Dark Reading has reached out to Volkswagen regarding where its findings differ from PCA’s.Patching Complications———————-OpenSynergy reports that [a patch was supplied for customers](https://www.opensynergy.com/perfektblue/) in September 2024. There are indications, though, that a not insignificant portion of affected devices are still vulnerable. On June 23, for instance, one unnamed original equipment manufacturer (OEM) told the researchers that they hadn’t received a patch, or even any notice that their vehicles were vulnerable.Nick Tausek, lead security automation architect at Swimlane, cuts OpenSynergy some slack. ‘The complex relationship of vendors and manufacturers, the rising tide of supply chain attacks, the often absent status of a software bill of materials (SBOM), and planned obsolescence combine to make a difficult surface for knowing who is affected as well as actually patching these types of devices, with delayed notification to OEMs and especially after-market manufacturers to be expected, and patching often requiring a visit to a dealership,’ he says. ‘The likelihood of patching equipment that has reached end of support from the manufacturer is also a concern for these kinds of exploits.’ He adds, ‘To me, attacks like PerfektBlue historically do more to illustrate the complicated landscape of -[Internet of Things-] patching than they do to represent a real threat to your average user.’OpenSynergy was not immediately available for comment on this story. [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/vulnerabilities-threats/350m-cars-1b-devices-1-click-bluetooth-rce)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/vulnerabilities-threats/350m-cars-1b-devices-1-click-bluetooth-rce)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/vulnerabilities-threats/350m-cars-1b-devices-1-click-bluetooth-rce)[](https://www.reddit.com/submit?url=https://www.darkreading.com/vulnerabilities-threats/350m-cars-1b-devices-1-click-bluetooth-rce&title=350M%20Cars%2C%201B%20Devices%20Exposed%20to%201-Click%20Bluetooth%20RCE)[](mailto:?subject=350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20350M%20Cars%2C%201B%20Devices%20Exposed%20to%201-Click%20Bluetooth%20RCE%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fvulnerabilities-threats%2F350m-cars-1b-devices-1-click-bluetooth-rce) About the Author—————- [Nate Nelson, Contributing Writer](/author/nate-nelson)
Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote ‘Malicious Life,’ an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts ‘The Industrial Security Podcast.’ [See more from Nate Nelson, Contributing Writer](/author/nate-nelson) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa3135&ch=drwebbutton) More Insights Webinars* [New Research: Machine Learning Classifiers Don’t Need Negative Labels](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa8737&ch=SBX&cid=_upcoming_webinars_8.500001573&_mc=_upcoming_webinars_8.500001573)Jul 16, 2025* [Best Practices for Cloud Detection and Response: Real-World Lessons from Multi-Cloud Attacks](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo339&ch=SBX&cid=_upcoming_webinars_8.500001579&_mc=_upcoming_webinars_8.500001579)Jul 17, 2025* [Think Like a Cybercriminal to Stop the Next Potential Attack](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cmdc03&ch=SBX&cid=_upcoming_webinars_8.500001572&_mc=_upcoming_webinars_8.500001572)Jul 22, 2025* [Elevating Database Security: Harnessing Data Threat Analytics and Security Posture](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_rubr156&ch=SBX&cid=_upcoming_webinars_8.500001574&_mc=_upcoming_webinars_8.500001574)Jul 23, 2025* [The DOGE-effect on Cyber: What’s happened and what’s next?](https://www.brighttalk.com/webcast/18975/628444?utm_source=brighttalk-darkreading&utm_medium=web&utm_campaign=curation04242025&cid=_upcoming_webinars_8.500001554&_mc=_upcoming_webinars_8.500001554)Jul 24, 2025[More Webinars](/resources?types=Webinar) Events* [-[Virtual Event-] Strategic Security for the Modern Enterprise](https://ve.informaengage.com/virtual-events/strategic-security-for-the-modern-enterprise/?ch=sbx&cid=_session_16.500334&_mc=_session_16.500334)Jun 26, 2025* [-[Virtual Event-] Anatomy of a Data Breach](https://ve.informaengage.com/virtual-events/an-anatomy-of-a-data-breach-and-what-to-do-if-it-happens-to-you/?ch=sbx&cid=_session_16.500333&_mc=_session_16.500333)Jun 18, 2025* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025[More Events](/events) You May Also Like*** ** * ** ***[Vulnerabilities -& ThreatsDisclosure Drama Clouds CrushFTP Vulnerability Exploitation](https://www.darkreading.com/vulnerabilities-threats/disclosure-drama-clouds-crushftp-vulnerability-exploitation) [Vulnerabilities -& ThreatsCar Exploit Allows You to Spy on Drivers in Real Time](https://www.darkreading.com/vulnerabilities-threats/car-exploit-spy-drivers-real-time) [Vulnerabilities -& ThreatsPoC Exploit for Zero-Click Vulnerability Made Available to the Masses](https://www.darkreading.com/vulnerabilities-threats/poc-exploit-for-zero-click-vulnerability-made-available-to-the-masses) [Vulnerabilities -& ThreatsSolarWinds: Critical RCE Bug Requires Urgent Patch](https://www.darkreading.com/vulnerabilities-threats/solarwinds-critical-rce-bug-requires-urgent-patch)
Related Tags:
CVE-2024-45434
NAICS: 811 – Repair And Maintenance
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 81 – Other Services (except Public Administration)
NAICS: 336 – Transportation Equipment Manufacturing
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
Associated Indicators: