PerfektBlue Bluetooth Flaw Exposes Millions of Cars to Remote Hacking Risk

13th July 2025, Kathmandu

PCA Cyber Security has uncovered a critical Bluetooth vulnerability in cars, affecting millions of vehicles from major manufacturers including Mercedes-Benz, Volkswagen, and Skoda.

PerfektBlue Bluetooth Flaw Exposes

The newly discovered set of flaws, known collectively as PerfektBlue, impacts OpenSynergy’s BlueSDK Bluetooth stack, which is widely used in automotive infotainment systems.

What is PerfektBlue?

PerfektBlue is a chained attack that exploits multiple vulnerabilities in the BlueSDK Bluetooth stack, allowing potential attackers to execute remote code execution (RCE) via Bluetooth. This level of access could lead to:

Audio surveillance

Location tracking

Unauthorized access to phonebook data

Theoretical control of vehicle functions (e.g., steering or wipers)

While researchers stopped short of accessing critical car functions, the proof-of-concept demonstrations raise serious concerns for drivers, OEMs, and cybersecurity professionals.

Technical Breakdown of Identified CVEs

CVE ID                                                       Description                                                                                                    CVSS Score Severity

CVE-2024-45434                                    Use-After-Free in AVRCP service 8.0                                                                 Critical

CVE-2024-45431                                     Improper validation of L2CAP channel remote CID 3.5                                    Low

CVE-2024-45433                                     Incorrect function termination in RFCOMM 5.7                                                 Medium

CVE-2024-45432                                  Function call with incorrect parameter in RFCOMM 5.7                                        Medium

Real-World Impact: Tested Head Units

Researchers at PCA Cyber Security tested the vulnerabilities on the following systems:

Mercedes-Benz NTG6 head unit

Volkswagen MEB ICAS3 head unit

Skoda MIB3 head unit

These infotainment systems use BlueSDK, and when paired via Bluetooth, they were found to be vulnerable to 1-click RCE.

Key Statement from PCA:

“With this level of access, an attacker could manipulate the operating system, escalate privileges, and potentially pivot to other critical vehicle components.”

How the PerfektBlue Attack Works?

The only requirement for launching a PerfektBlue attack is successful pairing with the car’s Bluetooth system. However, due to varying implementations of BlueSDK across manufacturers:

Some systems may allow unlimited pairing attempts

Others may use an insecure “Just Works” pairing

In some rare cases, pairing might not even be required

The attack can be launched over-the-air and may only require one click or less from the user.

Who Is Affected?

BlueSDK is integrated into various models and infotainment systems from:

Mercedes-Benz

Volkswagen

Skoda

Other automotive brands using BlueSDK or its customized variants may also be vulnerable, especially if secure pairing mechanisms aren’t enforced.

Additionally, any Bluetooth-enabled embedded devices using BlueSDK—such as smart home products or industrial systems—may be at risk.

Disclosure Timeline: From Report to Patch

Date Event

May 17, 2024, PCA reports flaws to OpenSynergy

July 15, 2024, OpenSynergy acknowledges and begins patch development

September 2024 Fixes completed and made available

March 2025 PCA starts coordinated disclosure

June 10, 2025, PCA notifies OpenSynergy of public release plan

July 7, 2025, Public advisory officially released

Despite proactive communication, at least one OEM reported not receiving the patch via their supply chain as of late June 2025.

Security Recommendations

If your vehicle or product uses BlueSDK, here’s what you should do:

Update firmware or infotainment system software from your vehicle manufacturer.

Disable Bluetooth if not in use.

Avoid pairing with unknown or untrusted devices.

Request support from your OEM or dealer about BlueSDK vulnerabilities.

About PCA Cyber Security

PCA Cyber Security, formerly PCAutomotive, was established in 2019 and is headquartered in Budapest, Hungary. The company specializes in:

Embedded device penetration testing

Threat intelligence

Automotive cybersecurity

Continuous threat monitoring

Their mission is to protect the next generation of vehicles and devices from advanced threats through world-class research and industry collaboration.

Conclusion: A Wake-Up Call for the Automotive Industry

The discovery of PerfektBlue underlines the urgent need for better Bluetooth security in cars. With billions of connected vehicles expected on the roads in the next decade, automotive manufacturers must prioritize secure software development, testing, and patch management.

As digital cars become the norm, vulnerabilities like this could be the gateway for more severe cyberattacks. The time to act is now.

For more: PerfektBlue Bluetooth Flaw Exposes