PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Hacking

The discovery of PerfektBlue Bluetooth vulnerabilities has raised serious security concerns in the automotive industry.
These flaws could allow remote hackers to access sensitive in-car systems across multiple vehicle brands.

What Is PerfektBlue?

PerfektBlue refers to four newly discovered security flaws in OpenSynergy’s BlueSDK Bluetooth stack.
OpenSynergy’s software runs in many vehicles, including those from Mercedes-Benz, Volkswagen, and Skoda.
PCA Cyber Security, an automotive cybersecurity specialist, discovered the PerfektBlue Bluetooth vulnerabilities.
The team has uncovered over 50 car system vulnerabilities in recent years.

The Discovery and Response

PCA Cyber Security discovered the flaws in May 2024 and reported them to OpenSynergy.
OpenSynergy confirmed the issues in June and released patches by September 2024.
However, many automakers have not yet pushed the updates to affected vehicles.
Shockingly, at least one major manufacturer learned about the risks only recently.

How PerfektBlue Attacks Work

The PerfektBlue Bluetooth vulnerabilities can be exploited through an over-the-air attack.
An attacker would only need to be nearby and may require just one click from the user.
In some cases, the attacker can pair with the car’s system without any user confirmation.

PCA Cyber Security demonstrated attacks on popular models like:

• Volkswagen ID.4 (ICAS3)
• Mercedes-Benz NTG6
• Skoda Superb (MIB3)

The attacks allowed them to gain remote control, including a reverse shell on the vehicle’s network.
This could expose GPS data, private conversations, contact lists, and more.

The Four Security Flaws Explained

The researchers found four specific vulnerabilities:

• CVE-2024-45434 (High): Allows media control hijack via the AVRCP service.
• CVE-2024-45431 (Low): Issues in L2CAP channel validation.
• CVE-2024-45433 (Medium): Improper function termination in the RFCOMM protocol.
• CVE-2024-45432 (Medium): Incorrect function call in the RFCOMM protocol.

Exploiting these flaws could allow attackers to move laterally within the vehicle’s systems.

Real-World Risk

The PerfektBlue Bluetooth vulnerabilities impact millions of devices, including vehicles and other products using BlueSDK.
Attacks are typically limited by several factors:

• The attacker must be within 5 to 7 meters of the vehicle.
• The car’s ignition must be on.
• The infotainment system must be in pairing mode.
• The user must approve Bluetooth access.

Even with these restrictions, once connected, attackers can maintain access within range.
Volkswagen confirmed these conditions and emphasized that attackers cannot access safety-critical systems like brakes and steering.

Automaker Response

Volkswagen, Mercedes-Benz, and Skoda were all informed of the PerfektBlue Bluetooth vulnerabilities.
PCA Cyber Security says they provided ample time for the vendors to apply fixes.
However, communication from these automakers has been limited or absent in some cases.

Volkswagen confirmed it is investigating the issues and working on possible solutions.
The company reassured the public that key vehicle functions remain protected.

Wider Impact and Future Disclosure

The real challenge is the widespread use of OpenSynergy’s BlueSDK across industries.
Due to customization and lack of transparency, it’s unclear how many products remain exposed.
PCA Cyber Security identified a fourth major manufacturer affected by PerfektBlue.
PCA Cyber Security will share details about this company and full technical information in November 2025.

Conclusion

The PerfektBlue Bluetooth vulnerabilities demonstrate the growing cybersecurity risks in modern vehicles.
Hackers could exploit these flaws to invade privacy and compromise car systems.
While patches exist, delays in applying them leave millions at risk.
Tech vendors and automakers must urgently strengthen collaboration to protect users.