PCA Cyber Security Researchers identified critical vulnerabilities in the Bluetooth stack of Blue SDK

PCA Cyber Security, a leading provider of penetration testing, threat intelligence, and cybersecurity monitoring services, today announces critical vulnerabilities in Blue SDK Bluetooth stack developed by OpenSynergy. Blue SDK is integrated into millions of devices, and the list of potentially affected vendors includes at least 69 big international companies. PCA Security Assessment team reported the vulnerabilities to OpenSynergy on May 24, 2024, and they were subsequently acknowledged and confirmed by OpenSynergy upon receipt. According to OpenSynergy, patches were rolled out in September 2024. 

Introducing PerfektBlue – 1-click RCE attack

 

PerfektBlue is the industry-wide critical over-the-air attack chain affecting devices in automotive and other industries. The exploitation chain covers multiple vulnerabilities found in the specific Bluetooth stack highly utilized in the industry. Successful exploitation of the identified vulnerabilities leads to Remote Code Execution on a target device.

PerfektBlue exploitation attack is a combination of critical memory corruption and logical vulnerabilities identified in OpenSynergy Blue SDK Bluetooth stack which can be chained to achieve Remote Code Execution (RCE) on millions of vehicles produced by numerous and unrelated manufacturers. Although designed and utilized primarily in the automotive industry, Blue SDK stack can be also found in other products, such as mobile phones and portable gadgets. This makes PerfektBlue a cross-industry vulnerability chain. PCA security researcher, Mikhail Evdokimov, who originally discovered PerfektBlue, developed a successful proof-of-concept exploitation, demonstrating how attackers could construct powerful primitives to bypass all the standard security mitigations on modern systems and achieve over-the-air remote code execution.

The only prerequisite for PerfektBlue attack is pairing with the target device at a sufficient security level. However, due to the framework-based nature of BlueSDK, this requirement varies by implementation – some devices may limit pairing requests, require user interaction, or even disable pairing altogether.

Essentially, PerfektBlue requires at most 1-click from a user to be exploited over-the-air by an attacker.

 

What are the Potential Impacts?

 

Having code execution on an IVI (in-vehicle-infotainment) device – Bluetooth-enabled part of a modern vehicle, it's possible for an attacker to track GPS coordinates, record and play audio inside a car, obtain personal phonebook data, although on some systems these impacts might additionally require a privilege escalation step from Bluetooth service user to root.

Finally, an attacker with code execution on the IVI can try to perform lateral movement to other ECUs - legitimately or by exploiting other software components - and obtain access to critical elements of a car, such as steering wheel, horn, wipers, etc. PCA researchers didn’t achieve this level of access on targets vulnerable to PerfektBlue. Nevertheless, previous PCA research not related to PerfektBlue, but with IVI Bluetooth as an attack entry point to the vehicle, proved such a possibility.

To protect against PerfektBlue, PCA suggests product owners to keep their system up-to-date or disable the Bluetooth functionality entirely. At the same time, product manufacturers are advised to check presence of vulnerabilities in their products through their supply chains and get in touch with PCA Cyber Security’s experts to confirm PerfektBlue, discover other, yet unknown issues in their products, and receive professional remediation advisory.

Have the Affected Vendors and OEMs Been Informed?

 

In line with our responsible disclosure practices, PCA Cyber Security reported the identified vulnerabilities to OpenSynergy prior to publication. The company acknowledged our findings and confirmed their intention to notify all affected vendors.

In addition, PCA Cyber Security notified Volkswagen/Skoda, Mercedes-Benz, and a third undisclosed OEM security teams that PCA proved their products are affected. PCA provided a high-level attack description, CVE numbers reserved through MITRE, and vulnerabilities confirmation materials to each OEM’s security team individually. Although many other OEMs are potentially affected, by the time of publication PCA only directly reported to OEMs, whose products were proven vulnerable, as soon as vulnerabilities were confirmed at PCA research lab. All approached OEMs confirmed presence of the vulnerabilities in their products.

Although OpenSynergy intended to inform affected parties, this information did not successfully reach some affected OEMs. One of the reasons might be a long and complex supply chain. PCA faced this lack of awareness once confirmed PerfektBlue on undisclosed OEM’s products and reported to their security team on the 6th of June 2025. Since this OEM only recently became aware of PerfektBlue in their products, PCA currently does not disclose this OEM and will update our public advisory with more details and vulnerability confirmation proofs when affected products are patched.

Interviews & Technical Insights

 

The public Security Advisory of PerfektBlue is now available at perfektblue.pcacybersecurity.com. Further and deeper technical details of our research will be presented at one of the upcoming industry events (TBC) later this year. In the meantime, journalists can request interviews (via email) with the leader of PCA Cyber Security’s Security Assessment team for further insights.

For media inquiries, contact Kamilla Tóth, Marketing Director, PCA Cyber Security (k.toth@pcacybersecurity.com).

 

About PCA Cyber Security

PCA Cyber Security is a cybersecurity company specializing in penetration testing, threat intelligence, and cybersecurity monitoring for automotive, financial services, energy, and manufacturing industries. Founded in 2019 and headquartered in Budapest, Hungary, PCA Cyber Security employs 30 cybersecurity experts focused on embedded devices, IoT systems, and connected infrastructure.
PCA Cyber Security works with leading brands to enhance the security of vehicles, ECUs, payment platforms, payment terminals, and other connected devices, including their infrastructure. Beyond cybersecurity assessment, PCA Cyber Security delivers threat intelligence and monitoring services, helping organizations mitigate cyber risks and stay ahead of attackers.
In 2024, PCA Cyber Security expanded with regional sales offices in Madrid, Spain, and Munich, Germany, further supporting its global client base.
For more information, visit: https://pcacybersecurity.com/

Contact:
Kamilla Tóth
Marketing Director, PCA Cyber Security
k.toth@pcacybersecurity.com

About OpenSynergy

OpenSynergy provides embedded software products for the next generation of vehicles. Its hypervisor and communication products pave the way for an integrated driving experience. 
The automotive virtual platform COQOS Hypervisor SDK integrates a mix of real-time applications and open source solutions on powerful domain controllers. It supports a large bundle of features corresponding to the virtualization standard VIRTIO, creating maximum flexibility: guest operating systems can be used and reused on different Systems on Chips. The automotive leading Bluetooth® stack Blue SDK is one of OpenSynergy’s communications platforms. It is the reference Bluetooth® implementation for many OEMs around the world. OpenSynergy further provides complimentary Automotive-Grade software components tailored for the AndroidTM Open Source Project (AOSP) to boost Android’s adoption in the automotive domain. OpenSynergy also provides engineering services to support the customization of its products. Read more on www.opensynergy.com

Contact:
Tel.: +49 (0)30.60 98 540-41
Email: marketing@opensynergy.com