Your Mercedes or Volkswagen could get hacked via Bluetooth

Cars are computers too, especially any car made in the last decade or so. And that means that they’re vulnerable to some of the same kind of hacking issues that affect computers, if not so frequently targeted. A newly discovered flaw in their Bluetooth system means vehicles made by Mercedes-Benz, Volkswagen, and Skoda are vulnerable to a “one-click” attack, including remote code execution.

So sayeth PCA CyberSecurity, which has dubbed the vulnerability PerfektBlue. It’s an issue with vehicles that use OpenSynergy’s BlueSDK system, which include major infotainment and vehicle management systems in Volkswagen and Mercedes cars, with Czech manufacturer Skoda also confirmed vulnerable. A fourth manufacturer has been confirmed, but not named. Remote code execution on these systems is possible, i.e. installing a malware payload or other program, plus GPS location tracking and microphone recording with Bluetooth-connected hardware, among other issues.

Alarmingly, software vendor OpenSynergy and its vehicle manufacturer partners have known about this issue for over a year, according to BleepingComputer. OpenSynergy confirmed that it had received PCA CyberSecurity’s report in May of 2024 and had issued security patches for BlueSDK by September, but many of the manufacturers using the system still haven’t issued software updates patching the vulnerabilities. Millions of cars on the road could be affected, though due to proprietary systems, it’s hard to nail down exactly which car brands and models have BlueSDK, and which version.

While it is remarkably easy for an attacker to use the “one-click” PerfektBlue exploit, it still requires access via Bluetooth. That limits the effective range to about 30 feet, and it’s only possible while the car is operating.