Researchers identify critical vulnerabilities in automotive Bluetooth systems

Cybersecurity researchers have identified four significant security vulnerabilities in a widely used automotive Bluetooth system that could potentially allow remote attackers to execute code on millions of vehicles worldwide.

The vulnerabilities, collectively named PerfektBlue by PCA Cyber Security, affect OpenSynergy’s BlueSDK Bluetooth stack, which is used to implement Bluetooth functionality in embedded systems, with a strong emphasis on automotive applications. The vulnerabilities impact technology used in Mercedes-Benz, Volkswagen, and Skoda automobiles. A fourth manufacturer, which researchers have not publicly identified, is also confirmed to use the affected technology.

The discovery highlights the expanding attack surface in modern connected vehicles, where Bluetooth-enabled infotainment systems have become standard equipment. The researchers found that the four vulnerabilities can be linked together in an exploit chain, potentially allowing attackers to gain unauthorized access to vehicle systems through Bluetooth connections.

The attack requires an attacker to be within Bluetooth range of a target vehicle and successfully pair with its infotainment system. The pairing process varies depending on how individual manufacturers have implemented the BlueSDK framework, with some systems requiring user interaction, while others may not.

The identified vulnerabilities include a critical use-after-free flaw in the AVRCP service (CVE-2024-45434) with a CVSS score of 8.0, along with three additional flaws related to improper validation and incorrect function handling in L2CAP and RFCOMM protocols.

PCA Cyber Security demonstrated successful exploitation on specific infotainment units from each affected manufacturer, including Mercedes-Benz’s NTG6 system, Volkswagen’s MEB ICAS3 unit used in the electric .ID models, and Skoda’s MIB3 system found in Superb models.

The findings underscore the complexity of automotive cybersecurity, particularly regarding the potential for lateral movement within vehicle networks. While infotainment systems are often designed with some separation from critical vehicle controls, the effectiveness depends on each manufacturer’s specific network architecture and security protocols.

Successful exploitation of the infotainment system could theoretically provide attackers with access to GPS tracking, audio recording capabilities, and contact information. Researchers also note that weak network segmentation could potentially allow attackers to access other vehicle systems, though this would depend on additional vulnerabilities and the specific architecture of each vehicle.

Researchers initially reported their findings to OpenSynergy in May 2024. The company acknowledged the vulnerabilities and developed patches, which were distributed to customers in September 2024. However, the complex nature of automotive supply chains has created challenges in patch distribution. Some original equipment manufacturers had not received the necessary updates as late as June 2025, nearly a year after the initial disclosure. This delay prompted the researchers to proceed with public disclosure while withholding the identity of the fourth manufacturer.

The researchers conducted proof-of-concept demonstrations on actual vehicle hardware, obtaining reverse shell access, which allows remote command execution on the target system. These demonstrations were performed on specific firmware versions ranging from 2020 to 2023, though researchers suggest that both older and newer firmware versions may also be vulnerable.

Further technical information on the vulnerabilities can be found on PCA’s website.