(TestMiles) – Security researchers have uncovered a devastating Bluetooth exploit affecting millions of vehicles from brands like Mercedes, VW, and Skoda (Not sold in the US). Here’s what drivers and automakers need to know.
While most drivers pair their phones with infotainment systems without a second thought, a chilling new exploit dubbed PerfektBlue is proving just how risky that habit can be. This isn’t a theoretical vulnerability. Researchers demonstrated remote code execution on production vehicles using only a Bluetooth connection no cables, no ports, no physical access required.
Why does this matter right now?The threat isn’t about infotainment convenience, it’s about control. PerfektBlue targets the widely used OpenSynergy BlueSDK Bluetooth stack, a software suite embedded in millions of cars worldwide. The exploit chain uses a combination of four known vulnerabilities (CVE‑2024‑45434, 45431, 45432, 45433), one of which scores a critical 8.0 on the CVSS severity scale.
Researchers successfully executed the attack on infotainment systems found in Mercedes-Benz NTG6, Volkswagen MEB ICAS3, and Skoda MIB3 platforms. Once compromised, attackers could track vehicle locations, snoop on in-cabin audio, and lift private data like contacts. More concerning, the vulnerability could be a stepping stone to access deeper vehicle controls, steering, brakes, or worse, though such lateral movement hasn’t yet been publicly confirmed.
This isn’t just an OEM issueIt’s a supply chain nightmare. If your car runs on BlueSDK and hasn’t been patched since September 2024, it’s potentially exposed no matter what badge is on the grille.
How does it compare to rivals?PerfektBlue doesn’t target a specific brand it exploits shared software embedded across the auto industry. That’s what makes it scarier than isolated brand vulnerabilities like Jeep’s 2015 Uconnect exploit or Tesla’s recent steering hacks. Those had manufacturer-specific fixes. PerfektBlue? It’s everywhere, and updates require dealer visits, software over-the-air capability, or worst of all customer apathy.
Most automakers still lack robust cybersecurity patching pipelines. Vehicles affected by this flaw were only patched after OpenSynergy released a fix in September 2024 months after researchers reported the issue in May. And as of July 2025, many of those cars remain vulnerable. There’s no forced update system for cars like there is for smartphones, which means millions of drivers are still riding with open doors in the digital sense.
Who is this for and who should skip it?If your vehicle features Bluetooth pairing and was built between 2019 and 2024 especially from European OEMs this matters to you. You’re not at risk from casual snoopers but from sophisticated hackers within Bluetooth range about 30 feet who could exploit the flaw with a single pairing request.
Owners of Mercedes, VW, and Skoda vehicles are at the highest known risk, but anyone using infotainment systems running BlueSDK is potentially exposed. This includes consumers and fleet operators who rely on remote telematics or in-vehicle communications for business or deliveries. The threat landscape has expanded beyond just data privacy it’s now about physical control and safety.
Conversely, if your infotainment system is regularly updated via OTA (like newer Tesla, Rivian, or BMW models), or if your vehicle doesn’t use the BlueSDK stack, you can breathe easier. But check anyway your Bluetooth stack isn’t listed on the Monroney sticker.
What’s the long-term significance?PerfektBlue will be remembered not just as an exploit, but as a cybersecurity wake-up call for automakers. It proves that even low-power wireless interfaces like Bluetooth can serve as high-stakes attack vectors when buried deep into vehicle software stacks. This isn’t just about fixing vulnerabilities it’s about redesigning how cars get secured and updated in real time.
OpenSynergy issued patches to OEMs in September 2024. But with patch lag common in the auto industry, many vehicles are still waiting for their fix. Until automotive cybersecurity is treated like public safety infrastructure and updates delivered like vaccines, we’ll keep seeing stories like this on loop.
PerfektBlue is the reminder that cars are now smartphones on wheels and Bluetooth isn’t just for playlists anymore. It’s a potential Trojan horse.
The post Bluetooth hack exposes millions of cars to remote risk appeared first on WHNT.
