Researchers identify critical vulnerabilities in automotive Bluetooth systems | CyberScoop<\/title> <meta name=\"description\" content=\"Cybersecurity researchers have identified four significant security vulnerabilities in a widely used automotive Bluetooth system that could potentially allow remote attackers to execute code on millions of vehicles worldwide.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/perfektblue-bluetooth-vulnerabilties-bluesdk-software\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Researchers identify critical vulnerabilities in automotive Bluetooth systems\"> <meta property=\"og:description\" content=\"Cybersecurity researchers have identified four significant security vulnerabilities in a widely used automotive Bluetooth system that could potentially allow remote attackers to execute code on millions of vehicles worldwide.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/perfektblue-bluetooth-vulnerabilties-bluesdk-software\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-07-11T15:17:46+00:00\"> <meta property=\"article:modified_time\" content=\"2025-07-11T15:17:48+00:00\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems-2.jpg\"> <meta name=\"twitter:creator\" content=\"@gregotto\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1746040294g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1750115417g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1752075323g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/85149\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=85149\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fperfektblue-bluetooth-vulnerabilties-bluesdk-software%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fperfektblue-bluetooth-vulnerabilties-bluesdk-software%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-85149 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/perfektblue-bluetooth-vulnerabilties-bluesdk-software\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"4.9180327868852\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Voting is open for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.966722129784\">\n<div class=\"single-article__header-content\" readability=\"34.649171270718\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/perfektblue-bluetooth-vulnerabilties-bluesdk-software\/\"> <span>Transportation<\/span> <\/a> <\/li>\n<\/ul>\n<p> \u201cPerfektBlue\u201d impacts tech used in Mercedes-Benz, Volkswagen, and Skoda automobiles. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/85149\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems-2.jpg 4703w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Workers assemble the Volkswagen ID.4 electric SUV at the VW factory on September 18, 2020 in Zwickau, Germany. Researchers have found a security flaw in the SDK used in the car’s infotainment system. (Photo by Jens Schlueter\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"36.760773351968\"><body readability=\"74.706994328922\"><\/p>\n<p>Cybersecurity researchers have identified four significant security vulnerabilities in a widely used automotive Bluetooth system that could potentially allow remote attackers to execute code on millions of vehicles worldwide.<\/p>\n<p>The vulnerabilities, collectively named <a href=\"https:\/\/perfektblue.pcacybersecurity.com\/\">PerfektBlue<\/a> by PCA Cyber Security, affect <a href=\"https:\/\/www.opensynergy.com\/blue-sdk\/\">OpenSynergy\u2019s BlueSDK<\/a> Bluetooth stack, which is used to implement Bluetooth functionality in embedded systems, with a strong emphasis on automotive applications. The vulnerabilities impact technology used in Mercedes-Benz, Volkswagen, and Skoda automobiles. A fourth manufacturer, which researchers have not publicly identified, is also confirmed to use the affected technology.<\/p>\n<p>The discovery highlights the expanding attack surface in modern connected vehicles, where Bluetooth-enabled infotainment systems have become standard equipment. The researchers found that the four vulnerabilities can be linked together in an exploit chain, potentially allowing attackers to gain unauthorized access to vehicle systems through Bluetooth connections.<\/p>\n<p>The attack requires an attacker to be within Bluetooth range of a target vehicle and successfully pair with its infotainment system. The pairing process varies depending on how individual manufacturers have implemented the BlueSDK framework, with some systems requiring user interaction, while others may not.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The identified vulnerabilities include a critical use-after-free flaw in the AVRCP service (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2024-45434\">CVE-2024-45434<\/a>) with a CVSS score of 8.0, along with three additional flaws related to improper validation and incorrect function handling in L2CAP and RFCOMM protocols.<\/p>\n<p>PCA Cyber Security demonstrated successful exploitation on specific infotainment units from each affected manufacturer, including Mercedes-Benz\u2019s NTG6 system, Volkswagen\u2019s MEB ICAS3 unit used in the electric .ID models, and Skoda\u2019s MIB3 system found in Superb models.<\/p>\n<p>The findings underscore the complexity of automotive cybersecurity, particularly regarding the potential for lateral movement within vehicle networks. While infotainment systems are often designed with some separation from critical vehicle controls, the effectiveness depends on each manufacturer\u2019s specific network architecture and security protocols.<\/p>\n<p>Successful exploitation of the infotainment system could theoretically provide attackers with access to GPS tracking, audio recording capabilities, and contact information. Researchers also note that weak network segmentation could potentially allow attackers to access other vehicle systems, though this would depend on additional vulnerabilities and the specific architecture of each vehicle.<\/p>\n<p>Researchers initially reported their findings to OpenSynergy in May 2024. The company acknowledged the vulnerabilities and developed patches, which were distributed to customers in September 2024. However, the complex nature of automotive supply chains has created challenges in patch distribution. Some original equipment manufacturers had not received the necessary updates as late as June 2025, nearly a year after the initial disclosure. This delay prompted the researchers to proceed with public disclosure while withholding the identity of the fourth manufacturer.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The researchers conducted proof-of-concept demonstrations on actual vehicle hardware, obtaining reverse shell access, which allows remote command execution on the target system. These demonstrations were performed on specific firmware versions ranging from 2020 to 2023, though researchers suggest that both older and newer firmware versions may also be vulnerable.<\/p>\n<p>Further technical information on the vulnerabilities can be found on <a href=\"https:\/\/pcacybersecurity.com\/resources\/advisory\/perfekt-blue\">PCA\u2019s website<\/a>. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.911714770798\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/07\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/perfektblue-bluetooth-vulnerabilties-bluesdk-software\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers identify critical vulnerabilities in automotive Bluetooth systems | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4556,4557,4558,4559,4560,4561,2917,4562],"tags":[4563,4564,4565,4566,4567,4568,2920,4569],"class_list":["post-7794","post","type-post","status-publish","format-standard","hentry","category-bluetooth","category-mercedes-benz","category-opensynergy","category-pca-cyber-security","category-perfektblue","category-skoda","category-transportation","category-volkswagen","tag-bluetooth","tag-mercedes-benz","tag-opensynergy","tag-pca-cyber-security","tag-perfektblue","tag-skoda","tag-transportation","tag-volkswagen"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/bluetooth\/\" rel=\"category tag\">Bluetooth<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mercedes-benz\/\" rel=\"category tag\">Mercedes-Benz<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/opensynergy\/\" rel=\"category tag\">OpenSynergy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/pca-cyber-security\/\" rel=\"category tag\">PCA Cyber Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/perfektblue\/\" rel=\"category tag\">PerfektBlue<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/skoda\/\" rel=\"category tag\">Skoda<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/transportation\/\" rel=\"category tag\">transportation<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/volkswagen\/\" rel=\"category tag\">Volkswagen<\/a>","tag_info":"Volkswagen","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7794","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7794"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7794\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7794"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7794"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7794,"date":"2025-07-11T10:17:46","date_gmt":"2025-07-11T15:17:46","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=85149"},"modified":"2025-07-11T10:17:46","modified_gmt":"2025-07-11T15:17:46","slug":"researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/07\/11\/researchers-identify-critical-vulnerabilities-in-automotive-bluetooth-systems\/","title":{"rendered":"Researchers identify critical vulnerabilities in automotive Bluetooth systems"},"content":{"rendered":"