- Two hackers revealed serious security errors in a 2023 Subaru Impreza
- Vulnerabilities in a Subaru-Webportal allowed the pair of remote access
- Similar problems can affect a number of large car brands
A few hackers have revealed how they at a distance took control of a Subaru Impreza, thanks to a serious security error in the Subarus Starlink-connected infotainment system.
Sam Curry and Shubham Shah (the latter worked externally) managed to exploit vulnerabilities in a Subaru web portal that enabled the couple to take control of Curry’s mother’s vehicle, including the ability to unlock the car, pout in the horn and start its ignition with possibly Smartphone or computer they chose, according to a report from Wired.
Curry revealed his tactics in a video and a long blog post that went into detail about how he was able to enter the aforementioned web portal and hijack a Subaru employee’s account by simply resetting a password which would then give him Possibility to use millions of Subaru vehicles externally with a customer’s name, registration number or zip code.
The productive hacker claims it was possible to pick up at least one year of location history from her mother’s car, including exactly mapped details of exactly where she had been, down to the exact parking lot that his mother parked on every time she went to church .
Subaru claims that once the couple had notified the company, they started to correct and patch the vulnerability of their employee portal while adding that it is important for the company to collect location data to help its employees help with emergencies and to that help tracking stolen vehicles.
However, Curry and the wider hacker community say there is not much need for manufacturers to collect many years of customer location data. Furthermore, he believes that such web vulnerable is not only limited to Subaru – similarly serious hackable errors are found in the web tools at Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota and many others.
Analysis: The connected car is a data protection nightmare
Earlier this week, Kaspersky security researchers published a report revealing how the team had found 13 vulnerabilities in first-generation Mercedes-Benz User Experience (MBUX) Infotainment system.
These errors will allow hackers to potentially steal data and disable theft protection if they are able to get physical access to the vehicle. Mercedes-Benz said they had been aware of Kaspersky’s results since 2022 and that the vulnerabilities had been corrected.
In addition, the German company pointed out that the main unit of its infotainment system had to be removed and opened for a successful hack to take place – making it a little less worrying than the problems found with Subarus vehicles.
That said, many industrial insiders and cyber security experts have warned that modern connected cars pose a serious security risk for a long time, with Mozilla going so far as saying “modern cars is a privacy nightmare” in a report released in 2023.
Mozilla found that many cars collect more data than they need, making it almost impossible for users to opt out of the harvest and then continue to sell this information to third parties without the user knowing it.
In addition to being a massive violation of privacy, vehicles equipped with cameras, microphones and a constant connection to the Internet now offer a wealth of ways in which potential hackers can get remote access.
Car manufacturers are clearly aware of this, and many have created independent software divisions to help deal with the threat, but it is clear that there is still work to do.
