Redazione RHC : 20 July 2025 20:57
Four vulnerabilities, dubbed PerfektBlue, affect OpenSynergy’s Bluetooth BlueSDK stack. The vulnerabilities allow remote execution of arbitrary code and could contribute to accessing critical components in vehicles from manufacturers such as Mercedes-Benz AG, Volkswagen, and Škoda. OpenSynergy confirmed the issues in June 2024 and released patches in September. However, many car manufacturers have not yet implemented the updates in their firmware.
The vulnerabilities were discovered by specialists at PCA Cyber Security, a company specializing in automotive security. It’s important to note that the company regularly participates in the Pwn2Own Automotive competition and has discovered more than 50 bugs in various automotive systems since last year. According to researchers, PerfektBlue’s issues affect millions of devices in the automotive industry and beyond. However, the experts studied the compiled binary of BlueSDK, as they simply didn’t have the source code.
The vulnerabilities vary in severity and can allow access to the internal components of various vehicles via the infotainment system.
Although the researchers don’t disclose all the technical details, they write that an attacker connected to a vulnerable device has the ability to manipulate the system, escalate privileges, and escalate to other components. PerfektBlue is a 1-click RCE attack, because the attacker only needs to convince the user to accept the pairing request with their device. Some car manufacturers configure their systems so that pairing is possible even without confirmation.
PCA Cyber Security has demonstrated that PerfektBlue works with the head units of the Volkswagen ID.4 (ICSA3 system), Mercedes-Benz (NTG6), and Skoda Superb (MIB3).
Rear shell for Mercedes-Benz NTG6
It is noted that after remote code execution in the context of the car’s infotainment system, an attacker can track GPS coordinates, eavesdrop on in-car conversations, access the owner’s phone contacts, and even perform lateral movements and reach critical car subsystems. OpenSynergy’s BlueSDK is widely used outside the automotive industry, but it is difficult to identify who else is using it in their products (due to customization, rebranding, and a lack of transparency).
Researchers have They informed Volkswagen, Mercedes-Benz, and Škoda of the problems encountered, giving them sufficient time to implement solutions. However, the experts never received a response from the automakers. Mercedes-Benz representatives did not respond to requests from journalists, and Volkswagen said it launched an investigation immediately after receiving information about the vulnerabilities. “The investigation has shown that under certain conditions, it is possible to connect to the vehicle’s infotainment system via Bluetooth without authorization,” Volkswagen said.
But the company emphasized that the exploit will only work if certain conditions are met:
Even if these conditions are met, the attacker must remain within 5-7 meters of the car during the attack to maintain access. The company separately noted that even in the event of a successful compromise, a hacker will not be able to compromise the car’s critical functions, including steering, driver assistance systems, engine operation, and braking system (which are controlled by a separate unit with its own protection mechanisms).
Redazione