In-car Bluetooth: the hidden dangers and how to protect yourself
In the early 20th century, cars stopped being something exotic. Yes, they were still quite expensive — not that they aren’t today — but, overall, the introduction of the assembly line, which enabled mass production of vehicles, pushed the costs down and saturated the market.
Today, cars are truly ubiquitous. Some societies, like that of the USA, are unimaginable without them. Pretty soon after becoming a more or less affordable product, cars acquired entertainment systems. The first one, a car radio, was installed in a Chevrolet model in 1922, and in 1930, Motorola started making 5T71, the first third-party audio set designed specifically for cars.
Today, car infotainment systems double as navigation devices, pacifiers for children (cartoons!), communication sets, and security rigs. In most cases, their connectivity is enabled by Bluetooth, a tech that counts dozens upon dozens of applications. This is a plus: no technological spaghetti of wires hanging from the ports of the system, it’s all in the air. But there’s a flip side to this coin.
Car infotainment Bluetooth connection: vulnerabilities
This year, thus far, two major studies investigating just how (un)safe a car’s Bluetooth connection is were published. The results of both were quite alarming, although not pointing to any immediate critical danger. At least, for now.
The PerfektBlue car Bluetooth safety study
This research was led by PCA Cyber Security. The team focused on the OpenSynergy BlueSDK stack, one of the most widely used Bluetooth implementations in automotive systems today, adopted by big carmakers like Ford, Mercedes-Benz, and the entire Volkswagen group.
Researchers uncovered major vulnerabilities (CVE-2024-45431 through CVE-2024-45434), each granting malicious actors the access needed to play around with the car and the data it stores, up to remote execution of code. A quote from the report:
“The PCA Security Assessment Team identified multiple vulnerabilities with low-to-critical severity, allowing an attacker to obtain 1-click Remote Code Execution (RCE) in the operating system of a device which utilizes the BlueSDK Bluetooth stack. In this level of access, an attacker could manipulate the system, escalate privileges and perform lateral movement to other components of the target product.”
In layman’s terms, among other things, the vulnerabilities enable attackers to do the following:
- snatch contact lists and call history;
- track car location;
- hijack microphones for eavesdropping;
- reach other parts of the car’s internal network (rare cases, but still there).
Fortunately, the steering wheel and the pedals could not be messed with through the said holes. Vendors started releasing patches in late 2024 and early 2025; if you’re driving a Mercedes, a Ford, or anything from the Volkswagen Aktiengesellschaft, do check for updates.
The BlueToolkit investigation
BlueToolkit is an open-source Bluetooth vulnerability testing framework made by System Security Group at ETH Zurich in cooperation with Cyber Defence Campus. Recently, the team behind the framework used their creation to test how safe Bluetooth is in 22 different car models, including Renault, BMW, Honda, Tesla, and more. All in all, they discovered 64 vulnerabilities.
The testing aimed to reveal weaknesses that allow remote code execution, denial of service, and data extraction. In the process, the researchers have also shown how attackers could steal contacts, eavesdrop, track vehicles, and, in some rare cases, even disrupt operation of the cars’ core functions.
Protecting car’s Bluetooth connection from attacks
Here are some measures you can take to safeguard yourself from unpleasant surprises in your car:
- Don’t forget to disable Bluetooth when not using it. Simple yet effective: no connection — no hijacking. Especially when parking in a public lot.
- Clean up the list of paired devices. Whatever looks suspicious has to be deleted. Better yet, delete everything and pair just what you need anew.
- Make sure the connection is password-protected. In most cases it’s like that by default, but it never hurts to double-check. And make that password something more complicated than a straight 1 through 8 sequence.
- Stay current with the updates. As mentioned above, carmakers did release patches in response to the investigation. Make sure the firmware of your car’s infotainment system is up-to-date.