Researchers found critical PerfektBlue flaws in OpenSynergy BlueSDK, allowing remote code execution to hack millions of vehicles’ systems.
Researchers at PCA Cyber Security identified a set of critical vulnerabilities, collectively tracked as PerfektBlue, in OpenSynergy BlueSDK Bluetooth stack. The exploitation of the flaws potentially allows remote code execution in millions of vehicles. These flaws could enable attackers to hack car systems remotely.
OpenSynergy’s BlueSDK is a Bluetooth implementation that is widely adopted in the automotive industry. It supports both Classic and Low Energy modes, is hardware-agnostic, and includes various standard Bluetooth profiles. BlueSDK is considered as a Bluetooth framework, which means that it can be modified by vendors to fit their specific systems, making it flexible but also potentially more vulnerable.
The PerfektBlue attack chains Bluetooth flaws to hack a car’s infotainment system, enabling location tracking, audio recording, and access to phonebook data. It may also allow lateral movement to critical functions like steering and wipers, though the researchers did not demonstrate it.
“The only requirement for PerfektBlue attack is the pairing with the target device to have an appropriate security communication level. However, this limitation is implementation-specific due to the framework nature of BlueSDK. Thus, pairing process might look different between various devices: limited/unlimited number of pairing requests, presence/absence of user interaction, or pairing might be disabled completely.” reads the advisory published by the researchers. “Essentially, PerfektBlue requires at most 1-click from a user to be exploited over-the-air by an attacker.”
The OpenSynergy BlueSDK Bluetooth framework is widely used in cars, especially by vendors like Mercedes-Benz, Volkswagen, and Skoda. These issues mostly impact the automotive sector, though other devices may be affected too. To stay safe, users should update their systems or disable Bluetooth.
Below are the vulnerabilities discovered by the researchers:
| CVE ID | Description | CVSS 3.1 score |
|---|---|---|
| CVE-2024-45434 | Use-After-Free in AVRCP service | 8.0 (Critical) |
| CVE-2024-45431 | Improper validation of an L2CAP channel’s remote CID | 3.5 (Low) |
| CVE-2024-45433 | Incorrect function termination in RFCOMM | 5.7 (Medium) |
| CVE-2024-45432 | Function call with incorrect parameter in RFCOMM | 5.7 (Medium) |
The researchers demonstrated the attack against Mercedes-Benz NTG6 head unit, Volkswagen MEB ICAS3 head unit, and Skoda MIB3 head unit.
The researchers devised proof-of-concept exploits for three Infotainment systems of different vendors.
“PCA Security Assessment Team identified multiple vulnerabilities with low-to-critical severity, allowing an attacker to obtain 1-click Remote Code Execution (RCE) in the operating system of a device which utilizes BlueSDK Bluetooth stack. In this level of access, an attacker could manipulate the system, escalate privileges and perform lateral movement to other components of the target product.” reads the advisory.
“The vulnerabilities on testing devices PCA Team used for vulnerability research and verification, were accessible after pairing. However, those vulnerabilities may potentially be available before pairing process on some devices utilizing BlueSDK, as this highly depends on the implementation chosen by the end developer (either by profile security level or “Just Works” SSP mode).”
The researchers reported the flaws to the OpenSynergy Security Team on May 17, 20224. On July 15, 2024, OpenSynergy confirmed the vulnerabilities and started working on the patches. The patches were completed in September 2024.
In March 2025, PCA Cyber Security initiated responsible disclosure by sharing the content of the PerfektBlue advisory website with OpenSynergy, allowing them time to review the findings. By early June, PCA had confirmed that the vulnerabilities affected several vehicle models from an undisclosed original equipment manufacturer (OEM), whose security team was promptly notified.
On June 10th, PCA informed OpenSynergy that it intended to publish the advisory and supporting website on July 2nd, providing a clear timeline for coordinated disclosure. However, by June 23rd, the affected OEM reported that they had not received any official notification or patch regarding the vulnerabilities through their supply chain. In response, PCA decided to move forward with publication while choosing not to reveal the OEM’s identity publicly.
Finally, on July 7th, the advisory was officially released. The primary goal of this public disclosure was to raise awareness of the PerfektBlue attack chain among OEMs, suppliers, and end users, encouraging faster remediation and enhanced security across the affected ecosystem.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, automotive)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/179789/hacking/perfektblue-bluetooth-attack-allows-hacking-infotainment-systems-of-mercedes-volkswagen-and-skoda.html