Researcher Finds Ways into Subaru’s Connected Car Tech

Over a few days, a security researcher unearthed at least eight vulnerabilities in mobile apps for Subaru’s connected car technology that allow an attacker to check a car’s location, as well as unlock doors and honk horns.

Aaron Guzman hacked his own 2017 Subaru WRX STI and found multiple flaws in Subaru Starlink’s authentication practices, Data Breach Daily reported.

The Starlink system connects vehicles to mobile devices, so drivers can get alerts about maintenance, security or use remote features. Starlink also allows for hands-free use of mobile devices through a Bluetooth connection and access to multimedia entertainment apps.

Guzman found the app’s servers use authentication tokens that don’t expire and are sent over a URL in plain text. An attacker would have to grab the token to access an account, which isn’t the easiest attack, according the report, but possible if a victim clicked a malicious link or was targeted with a man-in-the-middle attack. A better practice is to have authentication tokens expire.

These vulnerabilities didn’t allow for an attacker to accelerate or brake the car, but one could review the vehicle’s use. Subaru has since fixed “most” of the flaws, according to the report.