A newly discovered Bluetooth security flaw could allow hackers to spy on conversations, track vehicles, and access personal data through a car’s infotainment system, cybersecurity researchers warn. The vulnerability, named PerfektBlue, affects millions of devices using OpenSynergy’s BlueSDK, commonly integrated in vehicle infotainment systems, mobile devices, and even medical equipment.
Automotive cybersecurity firm PCA Cyber Security revealed that PerfektBlue can be exploited with minimal effort. An attacker only needs to be within Bluetooth range — approximately five to seven meters — and spoof a previously connected device to prompt the car user to accept a fake pairing request. If accepted, the hacker can gain unauthorized access to the infotainment system, track GPS locations, access the phonebook, record in-car conversations, and potentially escalate control to critical vehicle systems.
Brands impacted include Mercedes-Benz, Volkswagen, and Skoda, though researchers believe dozens of other companies may also be affected.
Volkswagen responded, saying that while unauthorized Bluetooth access is technically possible, several conditions must be met: the vehicle must be on, the infotainment system in pairing mode, and the user must approve the connection. The company emphasized that the issue does not compromise vehicle safety systems. Mercedes-Benz has not yet commented.
OpenSynergy, the company behind BlueSDK, has released software patches and stated it has been actively supporting its partners in deploying fixes to users. Many newer vehicles offer over-the-air (OTA) updates, allowing for seamless software upgrades via Wi-Fi or cellular connections. Older models may require manual updates through USB or a visit to a dealership.
To protect themselves, users are encouraged to update their vehicle’s software as soon as updates become available. Car manufacturers like Volkswagen and Mercedes typically notify customers via email, mail, or in-vehicle alerts when an update is released.
The Canadian Centre for Cybersecurity has also issued Bluetooth safety guidelines:
- Always use updated versions of Bluetooth to benefit from the latest security features.
- Avoid transferring sensitive information over Bluetooth.
- Disable discovery mode when not pairing.
- Authenticate devices with pairing codes or passkeys.
- Decline pairing requests from unknown sources.
- Regularly review and remove unused or unfamiliar devices from your pairing list.
- Only pair devices in secure environments.
- Clear all personal data from a vehicle’s infotainment system before selling or returning it.
With PerfektBlue raising new concerns over Bluetooth security, experts stress that basic cyber hygiene — especially around connected cars — is now more critical than ever.