A newly disclosed set of Bluetooth vulnerabilities is putting millions of modern vehicles at serious risk. The flaws, discovered in the Bluetooth stack used in many car infotainment systems, could allow remote attackers to execute malicious code, all without the victim realizing anything is wrong. The attack, named PerfektBlue, targets a widely deployed software library called BlueSDK, developed by Berlin-based company OpenSynergy. This protocol stack is embedded in the infotainment systems of popular car brands, including Mercedes-Benz, Volkswagen, and Škoda. Cybersecurity researchers from PCA made the discovery. They warn that the attack could allow full system compromise with little user interaction.
How the PerfektBlue Attack Works
Bluetooth-based attacks have historically been limited by range and required complex interaction. PerfektBlue changes that. It chains four critical vulnerabilities in BlueSDK to achieve remote code execution (RCE) — a worst-case scenario in software security.
An attacker needs to be within Bluetooth range, which typically means within five to seven meters of the target vehicle. If the car is powered on and in pairing mode, the attacker can initiate a connection using a crafted payload. In some cases, no user interaction is required. In others, a single tap or auto-pairing approval is enough to trigger the exploit. Once inside, the attacker gains control over the infotainment unit and can run arbitrary code.
Depending on how the infotainment system is integrated with other vehicle components, the potential impact could go beyond the radio or navigation system. Access to onboard diagnostics, microphones, or even telemetry systems is theoretically possible in some configurations, though that varies by manufacturer.
Who Is Affected?
The vulnerability stems from BlueSDK being licensed to multiple automotive Tier 1 suppliers — companies that build critical parts used by automakers. This means the issue is not limited to a single brand or region. While Mercedes-Benz, Volkswagen, and Škoda have been named in the research, many other car brands could be affected if they use the same software stack.
As of now, Volkswagen has publicly acknowledged that it is investigating the report. Most other automakers have yet to comment.
OpenSynergy released patched versions of BlueSDK in September 2024, but vehicle firmware update cycles are notoriously slow. In many cases, the software may already be patched upstream but still not deployed to the cars on the road.
The Broader Problem With Embedded Bluetooth
PerfektBlue is not an isolated incident. It reflects a much larger problem: the hidden complexity and insecurity of embedded Bluetooth stacks. Unlike consumer devices that often receive regular security updates, embedded systems like those in cars are more difficult to patch and rarely updated after purchase.
Bluetooth stacks are particularly prone to vulnerabilities because they implement complex, stateful protocols designed for broad compatibility across devices and vendors. That complexity creates a wide attack surface — one that has been exploited before. From BlueBorne in 2017 to more recent attacks on key negotiation and device spoofing, Bluetooth has a long history of being a soft target for skilled attackers.
PerfektBlue adds to that list, but its focus on cars — rather than smartphones or headsets — makes it stand out. It shows how infotainment systems, often treated as isolated conveniences, can become serious security liabilities when not properly secured.
What Can Users Do?
For most drivers, there’s not much that can be done to apply the patch themselves. Firmware updates must come from the car manufacturer or dealership. Concerned users should contact their service provider to ask whether their vehicle’s infotainment system is affected and whether a patch is available.
In the meantime, it’s wise to avoid putting the vehicle into Bluetooth pairing mode in public areas. Disabling Bluetooth when it’s not in use can also reduce exposure, although that’s not always practical for those who rely on in-car audio or hands-free calls.
Final Thoughts
PerfektBlue is a wake-up call for the auto industry. While cars become more connected and feature-rich with every model year, their attack surfaces are expanding just as quickly. Infotainment systems are no longer benign screens for music and maps — they’re entry points into highly complex digital environments.
Until manufacturers treat these components with the same level of scrutiny as traditional IT systems, vulnerabilities like PerfektBlue will continue to surface. The hope is that this discovery prompts faster patch adoption and greater transparency from vendors who still treat vehicle cybersecurity as an afterthought.
If there’s one thing PerfektBlue makes clear, it’s that Bluetooth is no longer just a convenience. Tt can also be a potential attack vector, and one we can’t afford to ignore.
