Subaru Hack: Millions of Cars Vulnerable to Remote Control

Subaru Web Portal Vulnerabilities Exposed

Recent reports indicate that security vulnerabilities within a Subaru web portal were identified approximately one year ago by two security researchers.

These flaws potentially enabled unauthorized access to vehicle controls and the tracking of driver location information, as detailed in a Wired report.

Vulnerability Resolution and Ongoing Concerns

Subaru has addressed the identified vulnerabilities following a disclosure of the findings by researchers Sam Curry and Shubham Shah.

However, both researchers emphasize that rectifying these specific security issues represents only a temporary solution to a broader, more systemic problem concerning vehicle security.

Details of the Security Breach

The researchers successfully compromised a test vehicle through an employee-facing web portal.

This unauthorized access granted them the ability to remotely initiate the car’s engine, monitor the vehicle’s real-time location, and access a complete year’s history of location data.

Potential for Misuse of Data

Curry highlighted the potential for malicious use of this data, stating, “Whether somebody’s cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone.”

The ongoing risk stems from the fact that as long as employees retain access to sensitive data, the information remains susceptible to increasingly sophisticated hacking techniques.

Industry-Wide Implications

The researchers further observed that this vulnerability is not isolated to Subaru.

Similar web-based flaws have been detected in other automotive manufacturers, including:

• Acura
• Genesis
• Honda
• Hyundai
• Infiniti
• Kia
• Toyota

This indicates a widespread issue affecting the security of connected car technology across the automotive industry.