In today’s digital era, car theft has never been more seamless. The automotive space, in recent years, has been filled with news of stolen cars. In many instances, the thieves were miles away and only needed to hack their way into stealing these vehicles. Subaru owners would have been victims of one of these hacks, but disaster has been averted. Sam Curry, an ethical hacker is credited for preventing this potential disaster. So, what exactly did he do?
The Plot
About a year prior to this finding, Curry proposed to buy his mother a Subaru. But there was a caveat:at some point in the near future, she would let him hack it. We can assume that she agreed to his deal and he went ahead to buy her a 2023 Subaru Impreza. Towards the close of 2024, Curry then fulfilled his end of the deal by hacking his mum’s car.
In the course of hacking, Curry and a colleague, Shubham Shah discovered a loophole in Subaru’s Starlink multimedia technology. This said technology is the software that controls the infotainment and navigation systems of Subaru vehicles. It is noteworthy that this kind of software is a target for hackers because of the loads of information contained within them. That aside, Curry and Shah discovered a way to gain administrator access to Subaru’s Starlink and add themselves to individual accounts.
What Were Their Findings?
With such access, they could essentially find and assume control of any Subaru connected to Starlink. The hijack enabled them to unlock the car, honk its horn, start its ignition and see the vehicle’s current location. They could also reassign the control of many features to any phone or computer of their choosing. Additionally, Curry and Shah could pull the vehicle’s location history over the previous 12 months. Curry explained that the map of the car’s whereabouts was so accurate and detailed, that he was able to see his mother’s doctor visits, the homes of the friends she visited, and even the exact parking space she parked in every time she went to church. We can agree that this is terrifying, right?
More so, personal data of authorised users on the account were also at risk. Physical addresses and the last four digits of any credit cards associated with the account were accessible. Subaru owners should be glad that ‘ethical’ hackers were the first to notice this flaw. Subaru was immediately contacted once the vulnerability was found and a fix was implemented right away.
Experiments Carried Out
After the discovery, Curry and Shah gained access to a 2023 Subaru Impreza (with permission of the owner) and tracked its location history. A second car’s locks were tampered with (again, with permission), all with the owners watching to confirm. All the while, the vehicle owners never received a notification that a new user had been added to their account. More bothersome is that over two years prior to this reveal, a larger group of researchers, of which Curry and Shah are part, discovered web-based security vulnerabilities that affected about 11 other car producers.
In a bid to make the World a global village, privacy has been thrown to the wind. One can only imagine the extent of damage that would have been done if this discovery was made by someone with malicious intent. Although this discovery is ‘ethical’, it has brought to light the loop holes in many automobile infotainment systems. It is only a matter of time before unethical hackers begin to look for other similar loopholes to leverage on. Disaster may have been averted for now, but for how long? What are your thoughts?
