Full Report
Four vulnerabilities dubbed PerfektBlue and affecting the BlueSDK Bluetooth stack from OpenSynergy can be exploited to achieve remote code execution and potentially allow access to critical elements in vehicles from multiple vendors, including Mercedes-Benz AG, Volkswagen, and Skoda. [...]
Analysis Summary
# Vulnerability: PerfektBlue Bluetooth Flaws Impacting Automotive Infotainment Systems
## CVE Details
- CVE ID: Not explicitly provided in the text.
- CVSS Score: Not explicitly provided in the text.
- CWE: Not explicitly provided in the text, likely related to Bluetooth protocol implementation or handling of communication sequences.
## Affected Systems
- Products: Automotive infotainment systems utilizing **PerfektBlue** (likely an OpenSynergy product or component).
- Versions: Specific versions are not detailed, but the flaw is present in systems using the affected PerfektBlue implementation.
- Configurations: Requires the vehicle user to actively approve external Bluetooth access for the attacker's device.
## Vulnerability Description
The PerfektBlue Bluetooth library/component used in certain automotive systems contains security flaws. If successfully exploited, an attacker could potentially establish communication with the Bluetooth interface of the vehicle. **Crucially, successful exploitation requires the vehicle user to actively approve the external Bluetooth access request on the vehicle's screen.**
## Exploitation
- Status: Details on exploitation status (e.g., exploited in the wild) are not provided. Researchers plan to disclose full technical details in November 2025.
- Complexity: At least **Medium** (requires user interaction to allow pairing/connection).
- Attack Vector: **Adjacent** (Requires being within short range of the vehicle).
## Impact
If successfully exploited after user approval and within close proximity:
- Confidentiality: Potential impact on data accessible via the connected Bluetooth stack (e.g., phonebook access, call logs, audio streaming).
- Integrity: Potential impact on data integrity within the connected infotainment unit.
- Availability: Minimal expected impact on core vehicle functions.
*Note: Vendors state that critical functions (steering, braking, driver assistance, engine) are on separate, protected control units and cannot be affected by this exploit.*
## Remediation
### Patches
- Vendor-specific patches are implied as Mercedes, Volkswagen, and Skoda are responsible for deploying fixes through their normal service channels. Specific patch versions are not listed here.
### Workarounds
- The attacker must remain within a maximum distance of **5 to 7 meters** from the vehicle to maintain access.
- **User Awareness:** The flaw mandates that the vehicle user must **actively approve** the external Bluetooth access request on the screen for a connection to be established. Do not approve unknown or unexpected Bluetooth connection requests.
## Detection
- Detection methods are not specified, but monitoring for unexpected Bluetooth pairing prompts or connections attempts on the infotainment system would be relevant.
## References
- Vendor advisories are expected from Mercedes, Volkswagen, and Skoda.
- Research disclosure planned for conference talk in **November 2025**.
- News Source: bleepingcomputer dot com / news / security / perfektblue-bluetooth-flaws-impact-mercedes-volkswagen-skoda-cars /