Researchers Discover 128 New Bluetooth Vulnerabilities in Modern Cars
A new Usenix study has uncovered 128 vulnerabilities in automotive Bluetooth systems, exposing a wide range of vehicles to potential cyberattacks. The research highlights critical weaknesses in the way modern cars handle wireless communication between devices and onboard systems.
BlueToolkit uncovers hidden flaws
The research team used the open-source BlueToolkit framework to perform automated security testing across 22 vehicles from 14 leading manufacturers released between 2015 and 2023. BlueToolkit is designed to simulate real-world Bluetooth interactions, including pairing, authentication, and data exchange processes, to detect flaws in implementation and protocol handling.
The analysis revealed a total of 128 distinct vulnerabilities, many of which allow attackers to compromise in-car infotainment systems or user accounts linked to vehicle apps. The flaws were categorized into four main types of attacks.
The most severe: user account takeover
The most dangerous category, dubbed User Account Takeover, enables adversaries to intercept and manipulate communication between a driver’s mobile device and the vehicle. By exploiting Bluetooth-based Man-in-the-Middle (MitM) vulnerabilities, attackers can potentially intercept SMS messages, access Hands-Free Profile (HFP) data, bypass two-factor authentication, and even seize control of connected user accounts.
Such exploits could allow an attacker to issue remote commands to the car’s infotainment system or retrieve sensitive data like contact lists, navigation history, and synced messages — all without physical access to the vehicle.
A widespread and overlooked threat
The findings emphasize that Bluetooth implementations in vehicles remain a weak point in automotive cybersecurity. Despite years of updates and new standards, many systems still rely on outdated or insufficiently verified Bluetooth stacks.
Researchers note that the vulnerabilities span multiple chipsets and software frameworks used by different manufacturers, suggesting the issue is systemic rather than brand-specific.
Recommendations and disclosure
The Usenix team has notified affected manufacturers and shared proof-of-concept demonstrations privately. Automakers have begun issuing patches and firmware updates for select models. However, given the complexity of in-car connectivity systems, researchers warn that complete mitigation may take months.
They recommend drivers keep vehicle software updated, disable Bluetooth pairing when not in use, and be cautious when connecting personal devices to shared or rental vehicles.
Conclusion
The study demonstrates that even seemingly harmless features like hands-free calling or media streaming can serve as vectors for serious intrusions. As cars become increasingly connected and autonomous, the boundary between digital and physical security continues to blur — making proactive cybersecurity testing more critical than ever.
Editorial Team — CoinBotLab