Thanks to Javascript: Subaru cars could be taken over remotely
Security researchers have managed to take control of Subaru vehicles via the internet. But they have also discovered a treasure trove of data.
(Image: Ryan T Thomas/Shutterstock.com)
Two security researchers in the USA have succeeded in gaining access to a Subaru administration portal using a comparatively simple method, where they were apparently able to take over every vehicle of the brand in the USA, Canada and Japan. Security expert Sam Curry published details of the hack, which took place in November 2024, on his blog on Thursday. According to this, Subaru closed the gateway within 24 hours. The two hackers also discovered that Subaru apparently keeps precise location data for at least a year. The hack once again highlights the extensive control car manufacturers retain over vehicles sold.
Full control from a distance
The attackers were able to gain extensive remote control over vehicles if they knew the owner's surname, zip code, email address, telephone number or license plate number. Access was gained via a portal for employees of the manufacturer. Here, the hackers used a JavaScript to reset the password in order to gain access using the email addresses of Subaru employees. Two-factor authentication protection could be easily commented out in the script.
As users of this portal, the hackers were able to start, stop, unlock, lock and locate vehicles. They were also capable of seeing where the vehicle's engine had been started in the previous year, to an accuracy of five meters. They also had access to the user's address data, emergency contacts and even information on the vehicle's purchase and sales history. Subaru employees also have this access. The hackers tried this out on Curry's mother's car, which he had bought for her in exchange for the promise that he would be allowed to hack it later.
(Image:Â samcurry.net)
After being made aware of the attack and the procedure, the Japanese car manufacturer closed the gap within 24 hours. Overall, this resembles similar hacks of cars with an internet connection. However, the discovery that Subaru holds extensive and precise location data going back at least 12 months remains questionable. Curry's mother didn't have her vehicle for longer than that. Subaru told Wired that only specially trained employees could view the data. The data could be used, for example, to guide emergency services to a vehicle involved in an accident. However, this would not require months of location data, says Curry. Subaru did not say how far back the data collection goes.
(mho)
