PerfektBlue: Critical Bluetooth Flaws Expose Millions of Cars to Remote Hacks
Four vulnerabilities within the Bluetooth stack BlueSDK, developed by OpenSynergy and collectively named PerfektBlue, pose a serious security threat to millions of vehicles. These flaws allow remote code execution on targeted devices and potentially grant access to critical components of automobiles manufactured by brands such as Mercedes-Benz, Volkswagen, and Skoda.
The software flaws were discovered by experts at PCA Cyber Security, a firm specializing in the protection of automotive systems. The issues were reported to OpenSynergy in May 2024, and by June, the developer had confirmed their existence. Fixes were made available to clients in September of the same year. However, a significant number of automakers have yet to deploy the updated firmware, with at least one major manufacturer only recently becoming aware of the issue.
The PerfektBlue attack can be executed through a chain of exploits that researchers were able to link together. In most cases, a single click by the user is sufficient to trigger the attack. The vulnerabilities are exploitable via Bluetooth connections, and in certain configurations, no user confirmation is required—merely a specific system setup.
Although BlueSDK is extensively used in the automotive industry, its implementation spans other sectors as well, amplifying the potential scale of damage. PCA Cyber Security asserts that the vulnerabilities impact millions of devices and has demonstrated this in real-world scenarios: they successfully gained a reverse shell on vehicles including the Volkswagen ID.4 (ICAS3 system), Mercedes-Benz (NTG6), and Skoda Superb (MIB3), infiltrating through the infotainment systems.
The most critical issues relate to the Bluetooth AVRCP profile and the RFCOMM protocol:
- CVE-2024-45434 (High severity) — A use-after-free (UAF) flaw in the AVRCP service allows attackers to manipulate multimedia devices;
- CVE-2024-45433 and CVE-2024-45432 (Medium severity) — Function termination errors and incorrect parameter handling in RFCOMM;
- CVE-2024-45431 (Low severity) — Insufficient validation of the channel identifier in L2CAP.
The research was conducted without access to the source code—analysts examined the compiled BlueSDK binary. According to the researchers, a successful attack could enable GPS tracking, eavesdropping on in-cabin conversations, access to the phonebook, and lateral movement across the vehicle’s internal network to reach other components.
OpenSynergy has not disclosed the exact number of affected clients, citing the frequent customization and integration of BlueSDK across various systems, which complicates traceability. Volkswagen has acknowledged the vulnerability, while emphasizing that its exploitation requires multiple conditions to align: the attacker must be within 5–7 meters of the vehicle, the engine must be running, the system must be in pairing mode, and the user must manually confirm the connection.
Volkswagen further assured that even in the event of a successful attack, critical control systems—such as steering, brakes, and the engine—are separately secured and isolated from the Bluetooth module.
PCA Cyber Security also confirmed in June 2025 the presence of PerfektBlue in the systems of another automotive manufacturer who had not received a security advisory from OpenSynergy. The name of the company remains undisclosed, as it has not yet been granted sufficient time to respond. Full technical details of the vulnerabilities will be presented in November 2025 at a cybersecurity conference.
As of now, Mercedes-Benz has not issued an official statement. Volkswagen, on the other hand, launched an internal investigation upon receiving the disclosure and announced its efforts to mitigate the threat. Nonetheless, the question of whether automakers are responding to such risks with appropriate urgency remains unresolved.
