New Subaru WRX STI Owner Hacks Cars Software; Does the STI Have Security Issues?
A Subaru WRX STI owner hacked his cars software and found potential security issues. He found his WRX STI has some flaws in its software system that could make it vulnerable to hackers. According to Independent researcher Aaron Guzman, who owns a 2017 Subaru WRX STI, says he spotted eight software vulnerabilities in his performance car. The flaws could allow a unauthorized user to unlock doors, honk the horn, gain vehicle location history and other issues stemming from the car's Starlink account.
According to Data Breach Today, Guzman spotted “perma-token problems” in the Starlink token. The Subaru mobile apps use a randomly generated token, to allow access once someone has authenticated, which is supposed to expire after a short time to prevent reuse. Instead, the flaw allows Subaru users to perpetually logon. The token is also sent over a URL and is cached in clear-text databases and never expired even after a password was changed.
The result is an attacker who knew the victim had a 2017 Subaru, or later model with Starlink, could capture the token and enter their email address and get vital information from Subaru. They would then have full access to the car, the same as the owner.
What did Subaru do about it?
Guzman originally found the software flaw in a 2016 WRX STI and said he reported the issue to Subaru who supposedly fixed the issue yet the same bug appeared in his new 2017 WRX STI. He says, Subaru "must have re-merged the code and reintroduced the vulnerabilities.”
The flaws were reported to Subaru again this year and the automaker has reportedly been responsive. Most of the flaws have since been “patched” however, Guzman said he has kept a close eye on all of the updates that have been released.
Security issues in connected vehicles is not new to the auto industry. In 2015, Charlie Miller and Chris Valasek remotely braked a Jeep Cherokee while a “wired” journalist cruised down a highway in California. Because of this incident, the auto industry, as well as the U.S. government, acknowledge that more cybersecurity work needs to be done.
Subaru said the flaws found by Guzman "allowed him to access his own 2017 Subaru WRX STI’s account data," according to a statement to ISMG, and said that any risks to users “was minimal.” Subaru doesn’t have a “bug bounty program”, but did give credit to Guzman for finding the bugs. He says, ”I was just happy with giving me credit, I just did it more for fun. It's a fun car."
Photo credit: Subaru