Two hackers have uncovered serious security vulnerabilities in Subaru’s Starlink-connected infotainment system, allowing them to remotely control a 2023 Subaru Impreza. While the flaws have since been patched, the discovery raises concerns about the security of connected car systems across major automotive brands.
How the Hack Unfolded
Sam Curry and Shubham Shah, working remotely, exploited vulnerabilities in a Subaru web portal to gain access to Curry’s mother’s vehicle. Using any smartphone or computer, they were able to unlock the car, honk its horn, and even start the ignition. According to a report by Wired, the hackers leveraged a Subaru employee’s account by resetting a password, granting them access to millions of Subaru vehicles using basic customer information such as name, registration number, or zip code.
In a detailed blog post and accompanying video, Curry explained how he accessed the web portal and retrieved over a year’s worth of location history from his mother’s car. This included precise details of her movements, down to the exact parking space she used during her weekly church visits.
Subaru’s Response
Subaru acted swiftly after being notified of the vulnerabilities, patching the security flaws in its employee portal. The company emphasized the importance of collecting location data to assist in emergencies and track stolen vehicles. However, Curry and other cybersecurity experts argue that there is no need for manufacturers to store years of customer location data, as it poses significant privacy risks.
A Wider Issue in the Automotive Industry
Curry warns that similar vulnerabilities are not unique to Subaru. He believes that other major automotive brands, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, and Toyota, may also have exploitable flaws in their web tools. This revelation highlights the growing need for stronger cybersecurity measures in the automotive industry as vehicles become increasingly connected.
What This Means for Car Owners
While Subaru has addressed the immediate threat, this incident serves as a stark reminder of the potential risks associated with connected car systems. Car owners are advised to stay informed about software updates from manufacturers and to be cautious about sharing personal information linked to their vehicles.
Conclusion
The Subaru security breach underscores the importance of robust cybersecurity in the automotive sector. As hackers continue to expose vulnerabilities, manufacturers must prioritize the protection of customer data and vehicle functionality. For now, Subaru drivers can breathe a sigh of relief, but the broader issue of connected car security remains a pressing concern.
