- Two hackers have exposed serious security defects in a Subaru Impreza in 2023
- The vulnerabilities of a Subaru web portal allowed the pair of remote access
- Similar problems could affect a number of major automotive brands
A pair of pirates revealed how they took remote control of a Subaru Impreza, thanks to a serious security defect in the infotainment system connected to Subaru Starlink.
Sam Curry and Shubham Shah (the latter worked remotely) managed to take advantage of the vulnerabilities in a Subaru web portal that allowed the pair to take control of the mother of Curry’s mother, including the possibility of unlocking the car , to hide and start lighting with any smartphone or computer they have chosen, according to a WIRED report.
Curry revealed his tactics in a video and a long blog article, which was in detail on how he was able to enter the said web portal and divert the account of an employee of Subaru by simply resetting a password, This would then allow him to draw from millions of Subaru vehicles remotely with the name of a customer, the registration number or the postal code.
The prolific hacker claims that it was possible to recover at least a year of history of place of his mother’s car, including the details mapped with precision of the place where she had been, to the space of Exact parking that her mother parked every time she went to church.
Subaru says that once the pair had informed the company, it began to work and correct the vulnerability of its employee portal while adding that it is important for the company to collect data from data Location to help their employees help emergencies and help follow stolen vehicles.
However, Curry and the wider hacking community say that manufacturers need little to collect years of customer location data. In addition, he believes that the type of web vulnerabilities is not limited to Subaru – piratable bugs for Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota and many others web tools.
Analysis: the connected car is a data confidentiality nightmare
Earlier this week, Kaspersky security researchers published a report that revealed how the team had found 13 vulnerabilities in the Mercedes-Benz User Expection (MBUX) infotainment system (MBUX).
These faults would allow hackers to potentially steal data and deactivate the anti -theft protections if they could obtain physical access to the vehicle. Mercedes-Benz said that she had been aware of Kaspersky’s conclusions since 2022 and that vulnerabilities had been corrected.
In addition, the German company stressed that the main unit of its infotainment system had to be deleted and opened for a successful hacking takes place – which makes it a little less worrying than the problems found with the vehicles of Subaru .
That said, many industry initiates and cybersecurity experts have warned that the modern connected car has a serious security risk for a long time, Mozilla going so far as to say that “modern cars are a nightmare of confidentiality” in a report published in 2023.
Mozilla has found that many cars collect more data than they need, which makes it almost impossible for users to withdraw from harvest, then sell this information to third parties without the user knowing it.
In addition to being a massive invasion of privacy, vehicles equipped with cameras, microphones and a constant internet connection now offer a plethora of ways for potential pirates to obtain remote access.
Car manufacturers are clearly aware of this and many have created autonomous software divisions to help cope with the threat, but it is clear that there is still work to do.
