Subaru Cars Can Be Easily Pwned Via $37 Of Hardware

If you own a Subaru, you might want to read this as there is an unpatched exploit that is now out there that makes it very easy to clone key fobs and open cars:

Tom Wimmenhove, a Dutch electronics designer, has discovered a flaw in the key fob system used by several Subaru models, a vulnerability the vendor has not patched and could be abused to hijack cars. The issue is that key fobs for some Subaru cars use sequential codes for locking and unlocking the vehicle, and other operations. These codes — called rolling codes or hopping code — should be random, in order to avoid situations when an attacker discovers their sequence and uses the flaw to hijack cars. This is exactly what Wimmenhove did. He created a device that sniffs the code, computes the next rolling code and uses it to unlock cars…

The researcher said he reached out to Subaru about his findings. “I did [reach out]. I told them about the vulnerability and shared my code with them,” Wimmenhove told BleepingComputer. “They referred me to their ‘partnership’ page and asked me to fill in a questionnaire. It didn’t seem like they really cared and I haven’t heard back from them.”

That’s a pity. I guess they didn’t see this as something to be concerned about. I bet that once people read the story above and see the video below demonstrating the pwnage, they might change their tune:

Here’s the kicker, the pwnage was accomplished using a $25 Raspberry Pi B+ and two dongles, one for wifi ($2) and one for a TV ($8), plus a $1 antenna and a $1 MCX-to-SMA convertor. In other words, $37 of hardware was used to pull this off. Subaru really needs to step up and disclose how they are going to protect owners from this. And they need to do it quickly.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: