- Two hackers exposed serious security flaws in a 2023 Subaru Impreza
- Vulnerabilities in a Subaru web portal allowed the pair remote access
- Similar issues could affect a number of major automotive brands
A pair of hackers have revealed how they remotely took control of a Subaru Impreza, thanks to a serious security flaw in Subaru’s Starlink-connected infotainment system.
Sam Curry and Shubham Shah (the latter was working remotely) managed to leverage vulnerabilities in a Subaru web portal that allowed the pair to take control of Curry’s mother’s vehicle, including the ability to unlock the car, honk its horn and start its ignition with any smartphone or computer they chose, according to a report by Wired.
Curry revealed his tactics in a video and a lengthy blog post, which went into detail about how he was able to enter said web portal and hijack a Subaru employee’s account by simply resetting a password, which would then allow him to tap into millions of Subaru vehicles remotely with a customer’s name, registration number, or zip code.
The prolific hacker claims that it was possible to retrieve at least a year’s worth of location history from his mother’s car, including accurately mapped details of exactly where she had been, down to the exact parking space his mother parked in every time she went to church.
Subaru claims that once the pair had notified the company, it set to work fixing and patching the vulnerability in its employee portal while adding that it’s important for the company to collect location data to help its employees assist with emergencies and to help track stolen vehicles.
However, Curry and the wider hacking community say that there is little need for manufacturers to collect years’ worth of customer location data. Further, he believes that the sort of web vulnerabilities aren’t just limited to Subaru – similarly serious hackable bugs exist in the web tools of Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and many others.
Analysis: The connected car is a data privacy nightmare
Earlier this week, security researchers from Kaspersky published a report that revealed how the team had found 13 vulnerabilities in the first-generation Mercedes-Benz User Experience (MBUX) infotainment system.
These flaws would allow hackers to potentially steal data and disable anti-theft protections should they be able to get physical access to the vehicle. Mercedes-Benz said that it had been aware of Kaspersky’s findings since 2022 and that the vulnerabilities had been patched.
Moreover, the German company pointed out that the head unit of its infotainment system had to be removed and opened for a successful hack to take place – making it slightly less worrying than the issues found with Subaru’s vehicles.
That said, many industry insiders and cybersecurity experts have warned that modern connected car poses a serious security risk for a long time, with Mozilla going so far as to say “modern cars are a privacy nightmare” in a report released in 2023.
Mozilla found that many cars collect more data than they need to, making it near impossible for users to opt out of the harvesting and then go on to sell this information to third parties without the user knowing.
Aside from being a massive invasion of privacy, vehicles equipped with cameras, microphones, and a constant connection to the internet now offer a plethora of ways for potential hackers to gain remote access.
Automotive manufacturers are clearly aware of this and many have created standalone software divisions to help deal with the threat, but it’s clear that there is still work to do.
