Millions of Subarus Could Be Remotely Unlocked

Monday, January 27, 2025

About a year ago, security researcher Sam Curry bought his mother a Subaru, on the condition that, at some point in the near future, she let him hack it.

Posted by LampLighter at 01:33 PM | 9 COMMENTS | permalink | Comment on This Entry |

Alternate links: Google News | Twitter

Now-fixed web bugs allowed hackers to remotely unlock and start millions of Subarus. More disturbingly, they could also access at least a year of cars' location histories--and Subaru employees still can.

[image or embed]
-- WIRED (@wired.com) January 23, 2025 at 8:28 AM

Comments

Admin's note: Participants in this discussion must follow the site's moderation policy. Profanity will be filtered. Abusive conduct is not allowed.

More from the article...

... It took Curry until last November, when he was home for Thanksgiving, to begin examining the 2023 Impreza's Internet-connected features and start looking for ways to exploit them.

Sure enough, he and a researcher working with him online, Shubham Shah, soon discovered vulnerabilities in a Subaru web portal that let them hijack the ability to unlock the car, honk its horn, and start its ignition, reassigning control of those features to any phone or computer they chose.

Most disturbing for Curry, though, was that they found they could also track the Subaru's location -- not merely where it was at the moment but also where it had been for the entire year that his mother had owned it.

The map of the car's whereabouts was so accurate and detailed, Curry says, that he was able to see her doctor visits, the homes of the friends she visited, even which exact parking space his mother parked in every time she went to church. ...

#1 | Posted by LampLighter at 2025-01-26 12:54 AM | Reply

@#1 ... reassigning control of those features to any phone or computer they chose. ..

Oops.

#2 | Posted by LampLighter at 2025-01-26 12:56 AM | Reply

People design these systems without focusing on how they can be exploited.

Now that it is exposed is the moment for management to step up and fix the issue.

Kia/Hyundai knew it's cars could be stolen very easily due to them taking engine immobilizers out of the starter system and they chose to do the bare minimum to remedy the situation which was easily defeated by thieves. Now they won't even address the issue with repairs.

#3 | Posted by Nixon at 2025-01-27 02:32 PM | Reply

I'd guess that several car brands have similar issues.

#4 | Posted by Whatsleft at 2025-01-27 03:06 PM | Reply

How is this not true of every car brand?

#5 | Posted by Angrydad at 2025-01-27 07:12 PM | Reply

Every internet and remote control feature is a security threat that can be hacked or disabled. In fact every critical control system years ago that required critical security used what they called private wire control, meaning only one physical point of input control. No multiple security interfaces with sophisticated "security" and passwords. They had one electrical and physical entrance into the system.

It should make every car owner wish for the past. Where nothing tracked you and nothing spied on you and you had both security and privacy.

#6 | Posted by Robson at 2025-01-27 07:23 PM | Reply

I'd guess that several car brands have similar issues.

#4 | Posted by Whatsleft at 2025-01-27 03:06 PM | Reply

I know Jeeps had it as well. www.wired.com

#7 | Posted by Nixon at 2025-01-28 11:47 AM | Reply

Just remove the air fryer from the car, done.

#8 | Posted by redlightrobot at 2025-01-28 01:28 PM | Reply

If you see a woman driving a Subaru the chances are she's wearing a flannel shirt.

#9 | Posted by visitor_ at 2025-01-28 03:11 PM | Reply