A pair of hackers have revealed how they remotely took control of a Subaru Impreza, thanks to a serious security flaw in Subaru’s Starlink-connected infotainment system.
Sam Curry and Shubham Shah (the latter was working remotely) managed to leverage vulnerabilities in a Subaru web portal that allowed the pair to take control of Curry’s mother’s vehicle, including the ability to unlock the car, honk its horn and start its ignition with any smartphone or computer they chose, according to a report by Wired.
Curry revealed his tactics in a video and a long blog article, which in detail about the way he could enter said the Internet portal and divert the story of a Subaru worker through the restoration of a password, which would later allow him to extract of millions of subaru cars remotely with the call of a customer, the registration number or the postal code.
The prolific hacker claims that it was imaginable to recoup at least a year’s worth of his mother’s car’s position history, at specific main points mapped precisely to precisely where it had been, until the parking area pinpointed that he parked every time and every time she parked. He went to church.
Subaru says that once the couple had informed the company, the vulnerability of their painting portal began to paint and well as it adds that it is vital that the company collects knowledge of the location of knowledge to help their emergencies of Assistance of paintings and assistance to steal to steal vehicles.
However, Curry and the broader piracy network say that brands want little to collect years of visitors’ location data. In addition, he believes that the type of internet vulnerabilities is not limited to insects pirates that are so serious in Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota and others.
Earlier this week, security researchers from Kaspersky published a report that revealed how the team had found 13 vulnerabilities in the first-generation Mercedes-Benz User Experience (MBUX) infotainment system.
These flaws would allow hackers to potentially steal data and disable anti-theft protections should they be able to get physical access to the vehicle. Mercedes-Benz said that it had been aware of Kaspersky’s findings since 2022 and that the vulnerabilities had been patched.
Moreover, the German company pointed out that the head unit of its infotainment system had to be removed and opened for a successful hack to take place – making it slightly less worrying than the issues found with Subaru’s vehicles.
That said, many industry insiders and cybersecurity experts have warned that modern connected car poses a serious security risk for a long time, with Mozilla going so far as to say “modern cars are a privacy nightmare” in a report released in 2023.
Mozilla found that many cars collect more data than they need to, making it near impossible for users to opt out of the harvesting and then go on to sell this information to third parties without the user knowing.
Aside from being a massive invasion of privacy, vehicles equipped with cameras, microphones, and a constant connection to the internet now offer a plethora of ways for potential hackers to gain remote access.
Automotive manufacturers are clearly aware of this and many have created standalone software divisions to help deal with the threat, but it’s clear that there is still work to do.
Leon has been navigating a world where automotive and tech collide for almost 20 years, reporting on everything from in-car entertainment to robotised manufacturing plants. Currently, EVs are the focus of his attentions, but give it a few years and it will be electric vertical take-off and landing craft. Outside of work hours, he can be found tinkering with distinctly analogue motorcycles, because electric motors are no replacement for an old Honda inline four.
Millions of cheap EVs in China will get advanced self-driving features this year – leaving the rest of the world far behind
Aston Martin has a bright idea to make future EVs more exciting to drive, but it’s not what you think
“Everyone will experience a hack” – how incident response can protect your organization