Slashdot Mirror
Unpatched Exploit Lets You Clone Key Fobs and Open Subaru Cars (bleepingcomputer.com)
An anonymous reader writes:
Tom Wimmenhove, a Dutch electronics designer, has discovered a flaw in the key fob system used by several Subaru models, a vulnerability the vendor has not patched and could be abused to hijack cars. The issue is that key fobs for some Subaru cars use sequential codes for locking and unlocking the vehicle, and other operations. These codes -- called rolling codes or hopping code -- should be random, in order to avoid situations when an attacker discovers their sequence and uses the flaw to hijack cars. This is exactly what Wimmenhove did. He created a device that sniffs the code, computes the next rolling code and uses it to unlock cars...
The researcher said he reached out to Subaru about his findings. "I did [reach out]. I told them about the vulnerability and shared my code with them," Wimmenhove told BleepingComputer. "They referred me to their 'partnership' page and asked me to fill in a questionnaire. It didn't seem like they really cared and I haven't heard back from them."
His Subaru-cracking feat -- documented in a video -- was accomplished using a $25 Raspberry Pi B+ and two dongles, one for wifi ($2) and one for a TV ($8), plus a $1 antenna and a $1 MCX-to-SMA convertor.
The researcher said he reached out to Subaru about his findings. "I did [reach out]. I told them about the vulnerability and shared my code with them," Wimmenhove told BleepingComputer. "They referred me to their 'partnership' page and asked me to fill in a questionnaire. It didn't seem like they really cared and I haven't heard back from them."
His Subaru-cracking feat -- documented in a video -- was accomplished using a $25 Raspberry Pi B+ and two dongles, one for wifi ($2) and one for a TV ($8), plus a $1 antenna and a $1 MCX-to-SMA convertor.
Hey, I've got an '02 Outback Sport with 200,000 miles on it. The thevies are welcome to it... ;-)
Now all those Subaru car theft gangs will have a leg up.
I see it all the time. There's a Lexus, Toyota, Ferrari, Porshe, Mercedes and car thieves make a bee line for the Subaru!
Happens all the time!
I need a new key made for my Late-ish model Subaru and they say itâ(TM)s $350 just for a key. When I demanded to speak to the manager of the parts and service depot and demanded an explanation they only would say âoeitâ(TM)s more secure than the $2.25 key copy you got with your last car at the hardware store.
Clearly thatâ(TM)s not true at all. Can we somehow sue them for price fixing the key market?
Something in my Butthoal does not Compute.
TFS says he's Dutch. Is this kind of unauthorized "testing" legal in the Netherlands?
The "TV dongle" is one which can be used as a software defined radio. The availability of cheap SDRs will allow more hackers to listen in on protocols that most people could not analyze before. Many more shortcuts and shoddy engineering will be revealed now that people can take a look.
Yet nobody seems to want to steal my 05 Subaru WRX with the busted head gaskets.
Won't all existing fobs have to be reprogrammed?
Good, crack them all and then sell kits on eBay. Why must it cost upwards of $80 plus a visit to the dealership if I lose my key? Used to be one could go to the hardware store to just cut a new key. It's MY CAR, I should be able to get MY key made in a competive market.
Iâ(TM)m not quite sure how they would âoepatchâ without a recall of all affected models, as there is no OTA upgrade method for these. OTOH, as a driver of a vulnerable car, I would love to extend this feature to be able to unlock my car using my phone via a custom Bluetooth-enabled app. Iâ(TM)d be very interested in getting my hands on the code for my own (legal) personal use. I also think that publishing as much information as he already has is quite irresponsible given that it may now be quite easy to reverse-engineer.
Wow. Trollers canâ(TM)t even stay on topic.
That's why I have a brake pedal lock that I use religiously on my ten year old Chevy and my wife's brand new VW. Yeah you can get into the car, but you can't drive off with it. The VW has a fatter brake pedal lever than my Chevy, so the lock doesn't fit as well, but it's still more work for a thief that I'd rather be there than not.
This problem affects 2004-2011 cars and not all of them in those years. This means Subaru fixed this problem probably soon after ROLLJAM became popular.
The issue at hand seems to be that they never went back and issued a voluntary recall for their older cars. On top of that, the article doesn't state who he talked to at Subaru. Honestly, they need a specific way for receiving these kinds of issues because joe blow in the call center isn't going to know how to deal with a report like this.
this looks like an old SDR hack... next we will see a garage opener...
Wimmenhove could have signed up to the partnership agreement and got paid but seems to have figured that publicity would be worth more, hey they could have told him to take a running jump like so many other vendors...
honestly why doesn't automotive just use standards and we could all move on with our lives, or are they invested in making money out of keys ?
The story isn't that the guy found an exploit. There will always be bugs and exploits in a complex system.
The story is that with many large companies, there is no straightforward way for a member of the public to contact someone who is directly responsible for these kinds of issues, which are rising in importance. And/or that there is not someone in the company who has made it their job to actively go out and publicize that they are interested in hearing about such issues.
It happens. Companies get big and fat and distributed, and no one knows whether a particular issue is important or how to own the solution until it gets so big and attention-grabbing that someone at the top realizes they have to put a person on it...
I need a new key made for my Late-ish model Subaru and they say itâ(TM)s $350 just for a key. When I demanded to speak to the manager of the parts and service depot and demanded an explanation they only would say âoeitâ(TM)s more secure than the $2.25 key copy you got with your last car at the hardware store.
Clearly thatâ(TM)s not true at all. Can we somehow sue them for price fixing the key market?
Probably, yes. The replacement key thing is a total shakedown. At least you can clone it now.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
The best use of this tech would probably not be to steal Subarus but rather to offer low-cost backup fobs. Last time I checked, a replacement fob at the dealer will set you back a couple hundred bucks. I bet you could find a price-point in there where you could sell replacements at a reasonable price and still make bank. You could also offer additional features, like being able to open multiple cars for a two (or more) car family.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Have we really reached the point where we have to patch key fobs?
"First they came for the slanderers and i said nothing."
Yes, but there's no reason to trust that Subaru or any Subaru dealer will do the job right the second time. The article makes it clear that Subaru isn't taking this seriously ("I did [reach out]. I told them about the vulnerability and shared my code with them," Wimmenhove told Bleeping. "They referred me to their 'partnership' page and asked me to fill in a questionnaire. It didn't seem like they really cared and I haven't heard back from them." followed by no response from Subaru to the too-corporate-compliant bleepingcomputer.com which won't link to the relevant Github code page). Subaru's response is flatly not the response of an organization that gives a damn and not linking to the relevant code is showing Subaru far too much deference.
The whole thing would be end-user fixable if the vehicle's complete software were free software. Users could run, inspect, share, and modify the code themselves or get someone they have good reason to trust to do the work for them. They wouldn't have to rely on an organization that apparently got it massively wrong the first time, didn't even put up a showing like they cared when shown the exploit they introduced, and so far hasn't done anything to fix.
As it stands now, all Subaru owners can do is ask the proprietors who fucked up the job the first time to take another stab at it—gratis of course—all the while knowing that it will take some helpful hacker like Tom Wimmenhove to look for a different predictable pattern. No Subaru dealer should charge any Subaru owner for applying this or any subsequent lock fix; they should consider themselves lucky if they're not getting sued for selling defective locks in the first place and get their repair costs covered by Subaru.
Digital Citizen
Hey everybody, phantomfive finally caught up with the rest of the world!!
Let's give hiim a big round of applause!!
**golf clap**