Vulnerabilities in a Subaru web portal allowed the pair remote access
Similar issues could affect a number of major automotive brands
A pair of hackers have revealed how they remotely took control of a Subaru Impreza, thanks to a serious security flaw in Subaru’s Starlink-connected infotainment system. Sam Curry and Shubham Shah managed to leverage vulnerabilities in a Subaru web portal that allowed them to take control of Curry’s mother’s vehicle, including the ability to unlock the car, honk its horn, and start its ignition with any smartphone or computer they chose, according to a report by Wired.
Curry detailed his tactics in a video and a lengthy blog post, explaining how he was able to enter the web portal and hijack a Subaru employee’s account by resetting a password, granting access to millions of Subaru vehicles remotely with just a customer’s name, registration number, or zip code.
The prolific hacker disclosed that he could retrieve at least a year’s worth of location history from his mother’s car, including detailed maps of her exact whereabouts, down to the specific parking space she frequented whenever she visited church.
Subaru responded by promptly addressing and patching the vulnerability in its employee portal, emphasizing the importance of collecting location data for emergency assistance and stolen vehicle tracking. However, Curry and the hacking community argue that manufacturers should not collect excessive customer location data, pointing out that similar serious vulnerabilities exist in the web tools of other automakers like Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and more.
Analysis: The connected car is a data privacy nightmare
Security researchers from Kaspersky recently published a report revealing 13 vulnerabilities in the Mercedes-Benz User Experience (MBUX) infotainment system. These flaws could potentially lead to data theft and anti-theft protection disablement if hackers gain physical access to the vehicle. Mercedes-Benz acknowledged the findings and patched the vulnerabilities, noting that successful hacks required access to the head unit of the infotainment system.
Industry experts have long warned about the security risks posed by modern connected cars, with Mozilla describing them as a “privacy nightmare.” Mozilla’s report highlighted how cars collect excessive data, making it challenging for users to opt-out and unknowingly selling this information to third parties. With features like cameras, microphones, and constant internet connectivity, modern vehicles provide numerous avenues for hackers to gain remote access.
While automakers have taken steps to address these threats, the cybersecurity landscape for connected cars remains a work in progress.
You might also like
Earlier this week, security researchers from Kaspersky published a report that revealed how the team had found 13 vulnerabilities in the first-generation Mercedes-Benz User Experience (MBUX) infotainment system. These flaws would allow hackers to potentially steal data and disable anti-theft protections should they be able to get physical access to the vehicle. Mercedes-Benz said that it had been aware of Kaspersky’s findings since 2022 and that the vulnerabilities had been patched.
Moreover, the German company pointed out that the head unit of its infotainment system had to be removed and opened for a successful hack to take place – making it slightly less worrying than the issues found with Subaru’s vehicles.
That said, many industry insiders and cybersecurity experts have warned that modern connected car poses a serious security risk for a long time, with Mozilla going so far as to say “modern cars are a privacy nightmare” in a report released in 2023.
Mozilla found that many cars collect more data than they need to, making it near impossible for users to opt out of the harvesting and then go on to sell this information to third parties without the user knowing.
Aside from being a massive invasion of privacy, vehicles equipped with cameras, microphones, and a constant connection to the internet now offer a plethora of ways for potential hackers to gain remote access.
Automotive manufacturers are clearly aware of this and many have created standalone software divisions to help deal with the threat, but it’s clear that there is still work to do.
**Full Review:**
**The Story So Far:**
Imagine a world where hackers could remotely take control of your car, honk its horn, unlock its doors, and even start its ignition—all with just a few clicks on a smartphone or computer. This was the reality that Sam Curry and Shubham Shah uncovered when they exposed serious security flaws in Subaru’s Starlink-connected infotainment system. Through vulnerabilities in a Subaru web portal, they were able to access Curry’s mother’s Subaru Impreza and manipulate its functions at will. The implications of such breaches extend beyond a single vehicle, raising concerns about the security of numerous major automotive brands.
**Detailed Review:**
Curry’s detailed account of the hack sheds light on the alarming ease with which he gained access to the Subaru web portal and took control of the vehicle. By exploiting a simple password reset, he could tap into a vast network of Subaru vehicles, retrieving sensitive location data and other personal information. This breach not only compromised individual privacy but also exposed a systemic vulnerability across the automotive industry. The repercussions of such security flaws are far-reaching, prompting urgent action from manufacturers to fortify their systems and protect consumer data.
**Conclusion:**
The revelations from Curry and Shah underscore the urgent need for heightened cybersecurity measures in the automotive sector. As cars become increasingly connected and technologically advanced, the risks of data breaches and remote hacks loom large. Manufacturers must prioritize security enhancements and vigilantly monitor for vulnerabilities to safeguard both user privacy and vehicle integrity. The onus is on the industry to address these challenges proactively and ensure that consumer trust and safety remain paramount in the age of connected cars.
**Frequently Asked Questions:**
**1. Are modern cars vulnerable to remote hacking?**
Modern cars with advanced connectivity features are susceptible to remote hacking, as demonstrated by recent incidents involving Subaru and Mercedes-Benz.
**2. How can consumers protect their vehicles from cyber threats?**
Consumers can safeguard their vehicles by keeping software up to date, using strong passwords, and being cautious about sharing personal data online.
**3. What steps are automotive manufacturers taking to address cybersecurity risks?**
Automakers are investing in dedicated cybersecurity divisions and implementing robust security protocols to mitigate the threat of hacking and data breaches.
**4. Is the collection of location data by car companies a privacy concern?**
The collection of extensive location data by car companies raises significant privacy concerns, as highlighted by recent security breaches in the automotive industry.
**5. What role does user awareness play in preventing cyber attacks on vehicles?**
User awareness is crucial in preventing cyber attacks on vehicles, as informed consumers can take proactive measures to secure their cars and data.
**6. How can hackers exploit vulnerabilities in connected cars?**
Hackers can exploit vulnerabilities in connected cars through various means, such as remote access to infotainment systems, GPS tracking, and wireless communication channels.
**7. What are the potential consequences of a successful car hack?**
A successful car hack can lead to unauthorized access to vehicle controls, theft of personal data, disabling of anti-theft systems, and compromising overall safety and security.
**8. What measures can car manufacturers implement to enhance cybersecurity?**
Car manufacturers can enhance cybersecurity by conducting regular security audits, implementing encryption protocols, and collaborating with cybersecurity experts to identify and address vulnerabilities.
**9. How can consumers stay informed about cybersecurity risks in the automotive industry?**
Consumers can stay informed about cybersecurity risks in the automotive industry by following updates from manufacturers, security researchers, and industry watchdogs.
**10. What are the long-term implications of cybersecurity vulnerabilities in connected cars?**
The long-term implications of cybersecurity vulnerabilities in connected cars include risks to user safety, privacy breaches, financial losses, and damage to brand reputation. It is imperative for the industry to prioritize cybersecurity to mitigate these risks effectively.
**Tags: connected cars, cybersecurity, automotive industry, data privacy, remote hacking**