13th July 2025, Kathmandu
PCA Cyber Security has uncovered a critical Bluetooth vulnerability in cars, affecting millions of vehicles from major manufacturers including Mercedes-Benz, Volkswagen, and Skoda.
PerfektBlue Bluetooth Flaw Exposes
The newly discovered set of flaws, known collectively as PerfektBlue, impacts OpenSynergy’s BlueSDK Bluetooth stack, which is widely used in automotive infotainment systems.
What is PerfektBlue?
PerfektBlue is a chained attack that exploits multiple vulnerabilities in the BlueSDK Bluetooth stack, allowing potential attackers to execute remote code execution (RCE) via Bluetooth. This level of access could lead to:
Audio surveillance
Location tracking
Unauthorized access to phonebook data
Theoretical control of vehicle functions (e.g., steering or wipers)
While researchers stopped short of accessing critical car functions, the proof-of-concept demonstrations raise serious concerns for drivers, OEMs, and cybersecurity professionals.
Technical Breakdown of Identified CVEs
CVE ID Description CVSS Score Severity
CVE-2024-45434 Use-After-Free in AVRCP service 8.0 Critical
CVE-2024-45431 Improper validation of L2CAP channel remote CID 3.5 Low
CVE-2024-45433 Incorrect function termination in RFCOMM 5.7 Medium
CVE-2024-45432 Function call with incorrect parameter in RFCOMM 5.7 Medium
Real-World Impact: Tested Head Units
Researchers at PCA Cyber Security tested the vulnerabilities on the following systems:
Mercedes-Benz NTG6 head unit
Volkswagen MEB ICAS3 head unit
Skoda MIB3 head unit
These infotainment systems use BlueSDK, and when paired via Bluetooth, they were found to be vulnerable to 1-click RCE.
Key Statement from PCA:
“With this level of access, an attacker could manipulate the operating system, escalate privileges, and potentially pivot to other critical vehicle components.”
How the PerfektBlue Attack Works?
The only requirement for launching a PerfektBlue attack is successful pairing with the car’s Bluetooth system. However, due to varying implementations of BlueSDK across manufacturers:
Some systems may allow unlimited pairing attempts
Others may use an insecure “Just Works” pairing
In some rare cases, pairing might not even be required
The attack can be launched over-the-air and may only require one click or less from the user.
Who Is Affected?
BlueSDK is integrated into various models and infotainment systems from:
Mercedes-Benz
Volkswagen
Skoda
Other automotive brands using BlueSDK or its customized variants may also be vulnerable, especially if secure pairing mechanisms aren’t enforced.
Additionally, any Bluetooth-enabled embedded devices using BlueSDK—such as smart home products or industrial systems—may be at risk.
Disclosure Timeline: From Report to Patch
Date Event
May 17, 2024, PCA reports flaws to OpenSynergy
July 15, 2024, OpenSynergy acknowledges and begins patch development
September 2024 Fixes completed and made available
March 2025 PCA starts coordinated disclosure
June 10, 2025, PCA notifies OpenSynergy of public release plan
July 7, 2025, Public advisory officially released
Despite proactive communication, at least one OEM reported not receiving the patch via their supply chain as of late June 2025.
Security Recommendations
If your vehicle or product uses BlueSDK, here’s what you should do:
Update firmware or infotainment system software from your vehicle manufacturer.
Disable Bluetooth if not in use.
Avoid pairing with unknown or untrusted devices.
Request support from your OEM or dealer about BlueSDK vulnerabilities.
About PCA Cyber Security
PCA Cyber Security, formerly PCAutomotive, was established in 2019 and is headquartered in Budapest, Hungary. The company specializes in:
Embedded device penetration testing
Threat intelligence
Automotive cybersecurity
Continuous threat monitoring
Their mission is to protect the next generation of vehicles and devices from advanced threats through world-class research and industry collaboration.
Conclusion: A Wake-Up Call for the Automotive Industry
The discovery of PerfektBlue underlines the urgent need for better Bluetooth security in cars. With billions of connected vehicles expected on the roads in the next decade, automotive manufacturers must prioritize secure software development, testing, and patch management.
As digital cars become the norm, vulnerabilities like this could be the gateway for more severe cyberattacks. The time to act is now.
For more: PerfektBlue Bluetooth Flaw Exposes