Four vulnerabilities dubbed PerfektBlue and affecting the BlueSDK Bluetooth stack from OpenSynergy can be exploited to achieve remote code execution and potentially allow access to critical elements in vehicles from multiple vendors, including Mercedes-Benz AG, Volkswagen, and Skoda. PCA Cyber Security told BleepingComputer that they informed Volkswagen, Mercedes-Benz, and Skoda about the vulnerabilities and gave them sufficient time to apply the patches but the researchers received no reply from the vendors about addressing the issues. PCA Cyber Security told BleepingComputer that last month they confirmed PerfektBlue at a fourth OEM in the automotive industry, who said that OpenSynergy hadn't informed them of the issues. PCA Cyber Security demonstrated PerfektBlue attacks on infotainment head units in Volkswagen ID.4 (ICAS3 system), Mercedes-Benz (NTG6), and Skoda Superb (MIB3), and obtained a reverse shell on top of the TCP/IP that allows communication between devices on a network, such as components in a car. The pentesters team at PCA Cyber Security, a company specialized in automotive security, discovered the PerfektBlue vulnerabilities and reported them to OpenSynergy in May 2024. The researchers say that with remote code execution on in-vehicle infotainment (IVI) a hacker could track GPS coordinates, eavesdrop on conversations in the car, access phone contacts, and potentially move laterally to more critical subsystems in the vehicle. OpenSynergy's BlueSDK is widely used in the automotive industry but it is difficult to determine what vendors rely on it due to customization and repackaging processes, as well as lack of transparency regarding the embedded software components of a car. BleepingComputer has also contacted OpenSynergy to inquire about the impact PerfektBlue has on its customers and how many are affected but we have not received a reply at publishing time.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 10 Jul 2025 16:05:19 +0000