- Two hackers exposed serious security flaws in a 2023 Subaru Impreza
- Vulnerabilities in a Subaru web portal allowed the pair to remote access
- Similar problems could affect a number of major automotive brands
A pair of hackers have revealed how they remotely took control of a Subaru Impreza, thanks to a serious security flaw in Subaru’s Starlink-connected infotainment system.
Sam Curry and Shubham Shah (the latter operating remotely) managed to exploit vulnerabilities in a Subaru web portal that allowed the pair to take control of Curry’s mother’s vehicle, including the ability to unlock the car, honk and start your ignition with whatever smartphone or computer you chose, according to a report from Wired.
Curry revealed his tactics in a video and a lengthy blog post, which went into detail about how he was able to break into said web portal and hijack a Subaru employee’s account by simply resetting a password, which would then allow him to take advantage of millions of Subaru vehicles. remote with a customer’s name, registration number or zip code.
The prolific hacker claims it was possible to recover at least a year’s worth of location history from his mother’s car, including precisely mapped details of exactly where it had been, down to the exact parking lot his mother parked in every time she went to work. the church. .
Subaru claims that once the pair had notified the company, it got to work fixing and patching the vulnerability in its employee portal while adding that it is important for the company to collect location data to help Your employees assist with emergencies and help track stolen vehicles.
However, Curry and the broader hacking community say there is little need for manufacturers to collect customer location data. Furthermore, he believes that the type of web vulnerabilities is not limited to just Subaru: there are equally serious hackable bugs in the web tools of Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota and many others.
Analysis: The connected car is a data privacy nightmare
Earlier this week, security researchers at Kaspersky published a report that revealed how the team had found 13 vulnerabilities in the first-generation Mercedes-Benz User Experience (MBUX) infotainment system.
These flaws would allow hackers to steal data and disable anti-theft protections if they can gain physical access to the vehicle. Mercedes-Benz said it had been aware of Kaspersky’s findings since 2022 and that the vulnerabilities had been patched.
Additionally, the German company noted that the head unit of its infotainment system had to be removed and opened for a successful stunt to be performed, making it slightly less concerning than the problems found with Subaru vehicles.
That said, many industry experts and cybersecurity experts have long warned that the modern connected car represents a serious security risk, with Mozilla going so far as to say that “modern cars are a privacy nightmare” in a report published in 2023.
Mozilla found that many cars collect more data than they need, making it nearly impossible for users to opt out of harvesting, and then sell this information to third parties without the user’s knowledge.
In addition to being a massive invasion of privacy, vehicles equipped with cameras, microphones, and a constant connection to the Internet now offer a host of ways for would-be hackers to gain remote access.
Automakers are clearly aware of this and many have created separate software divisions to help deal with the threat, but it is clear that there is still work to be done.
