Researchers Uncover PerfektBlue Exploit Chain in OpenSynergy’s Bluetooth Stack
A set of four newly disclosed Bluetooth vulnerabilities, collectively dubbed PerfektBlue, has raised significant concern across the automotive industry. Discovered by PCA Cyber Security, the flaws impact OpenSynergy’s BlueSDK stack, widely used in vehicle infotainment systems, including those found in models by Mercedes-Benz, Volkswagen, and Skoda.
The vulnerabilities, which range from low to high severity, allow an attacker to execute code remotely via Bluetooth with minimal user interaction. Researchers say the attack requires “at most 1-click from a user,” and in some vehicle models, even that may not be necessary.
While OpenSynergy released patches to affected customers in September 2024, many vehicle manufacturers have reportedly failed to apply or distribute the updated firmware. At least one major OEM was only recently made aware of the security risks.
Exploiting BlueSDK to Gain Deep Access Through Infotainment Systems
The flaws reside within BlueSDK, a widely adopted Bluetooth software stack. According to PCA, the issues can be chained into a full exploit capable of compromising in-vehicle infotainment systems.
The vulnerabilities include:
- CVE-2024-45434 (High): A use-after-free flaw in AVRCP service, enabling remote media control exploitation.
- CVE-2024-45433 and CVE-2024-45432 (Medium): Bugs in the RFCOMM protocol handling, affecting function termination and parameter use.
- CVE-2024-45431 (Low): An input validation issue in the L2CAP protocol’s remote channel ID handling.
Even without access to BlueSDK’s source code, PCA researchers managed to reverse-engineer the binary and build a working exploit chain, enabling remote code execution (RCE) and lateral movement within the vehicle’s internal networks.
In live demonstrations, researchers achieved a reverse shell via TCP/IP from infotainment units in vehicles such as the Volkswagen ID.4 (ICAS3), Mercedes-Benz NTG6, and Skoda Superb MIB3. With that level of access, attackers could potentially track GPS locations, access user data, eavesdrop on calls, and move laterally toward more sensitive systems—although those systems are typically isolated.
Automaker Responses and Risk Mitigation Challenges
Volkswagen has acknowledged the vulnerability and is investigating its impact. A spokesperson told media outlets:
“The investigations revealed that it is possible under certain conditions to connect to the vehicle’s infotainment system via Bluetooth without authorization.”
However, the company emphasized that several conditions must be met for a successful attack, including close proximity (within 5–7 meters), the vehicle being powered on, the infotainment system in pairing mode, and explicit user approval of the pairing request.
Even if those conditions are satisfied, Volkswagen stated that critical vehicle functions such as steering, braking, and engine control remain protected by independent security systems housed on separate control units.
Mercedes-Benz and Skoda have yet to issue public statements. According to PCA, no acknowledgment or confirmation was received from those vendors despite prior notifications.
Broader Industry Impact and Supply Chain Transparency Issues
PerfektBlue is notable not just for its severity, but for how widespread its impact may be. Due to how BlueSDK is customized, repackaged, and embedded across vendor platforms, determining the full extent of affected systems remains difficult.
OpenSynergy has not responded to requests for comment on how many customers or devices may be at risk.
Complicating matters further, some infotainment systems allow automatic pairing without user interaction, significantly reducing the effort required for an attacker to execute the exploit.
In June, PCA confirmed a fourth affected OEM, which had reportedly not been informed of the vulnerabilities by OpenSynergy. Researchers plan to disclose more details in November 2025 at a cybersecurity conference.
What’s at Stake: Persistent Access and Cross-System Risks
While Bluetooth-based attacks may seem low priority compared to direct hacks on braking or engine systems, infotainment system compromise opens a path for surveillance, lateral network movement, and access to private user data—a growing concern in connected vehicle security.
The PerfektBlue exploit is a reminder of how supply chain software vulnerabilities, especially in embedded components like Bluetooth stacks, can ripple across millions of devices—often with limited visibility or transparency from vendors.
