Automotive cybersecurity researchers from PCA Cyber Security have uncovered four critical vulnerabilities in OpenSynergy’s BlueSDK Bluetooth stack, collectively dubbed PerfektBlue. These security flaws affect millions of connected vehicles from major manufacturers including Mercedes-Benz, Volkswagen, and Skoda, creating significant risks for vehicle owners worldwide.
Understanding the PerfektBlue Attack Vector
The PerfektBlue vulnerabilities enable one-click Remote Code Execution (RCE) attacks, allowing cybercriminals to execute arbitrary code with minimal user interaction. Attackers need only convince drivers to accept a Bluetooth pairing request from their device. The threat escalates further as some automakers configure their systems to allow pairing without explicit user confirmation.
The research team from PCA Cyber Security, recognized for their participation in Pwn2Own Automotive competitions and discovery of over 50 automotive vulnerabilities in the past year, conducted their analysis on compiled binary code without access to source code. This reverse-engineering achievement demonstrates the sophisticated nature of modern automotive cybersecurity research.
Confirmed Attack Demonstrations
Security researchers successfully demonstrated PerfektBlue exploits on real-world automotive systems. The attacks were verified on Volkswagen ID.4 vehicles with ICAS3 systems, Mercedes-Benz models featuring NTG6 systems, and Skoda Superb vehicles equipped with MIB3 systems. In each case, researchers achieved reverse shell access via TCP/IP protocols, opening pathways for deeper network penetration.
Potential Impact of Successful Exploitation
Once attackers gain code execution within a vehicle’s infotainment system, they can access numerous vehicle functions and sensitive data. Potential attack scenarios include:
Real-time GPS tracking of vehicle locations, eavesdropping on conversations within the vehicle cabin, accessing contact lists from connected smartphones, and potential lateral movement to other critical vehicle subsystems. This level of system compromise poses serious privacy and safety risks for vehicle owners.
Vendor Response and Patch Management Challenges
OpenSynergy acknowledged the vulnerabilities in June 2024 and released corresponding patches in September. However, the implementation process for these fixes in vehicle firmware has proven lengthy and complex. According to sources, many automakers have yet to integrate the security updates into their systems, with some major OEMs only recently becoming aware of the threat.
Volkswagen representatives confirmed launching an investigation immediately after receiving vulnerability information. The company emphasized that attacks require specific conditions and that attackers must remain within 5-7 meters of the target vehicle to maintain access. Volkswagen also stressed that critical vehicle functions—steering, driver assistance systems, engine, and braking systems—operate on separate control units with dedicated security mechanisms.
Communication Gaps in Industry Response
Despite providing adequate response time, researchers received no communication from Mercedes-Benz and Skoda representatives. This lack of engagement raises concerns about these manufacturers’ readiness to respond promptly to cybersecurity threats.
Supply Chain Complexity and Vulnerability Scope
OpenSynergy’s BlueSDK extends beyond automotive applications, but determining all affected products remains challenging due to customization, rebranding, and limited transparency in software supply chains. This complexity significantly complicates accurate threat assessment and coordinated vulnerability remediation efforts.
The research team plans to release complete technical details of the PerfektBlue vulnerabilities in November 2025, providing developers and security professionals sufficient time to prepare and implement protective measures. This incident underscores the critical importance of timely automotive software updates and the need for enhanced collaboration between security researchers and vehicle manufacturers to protect end users from evolving cyber threats.
