Unpatched Exploit Lets You Clone Key Fobs and Open Subaru Cars

An anonymous reader writes: Tom Wimmenhove, a Dutch electronics designer, has discovered a flaw in the key fob system used by several Subaru models, a vulnerability the vendor has not patched and could be abused to hijack cars. The issue is that key fobs for some Subaru cars use sequential codes for locking and unlocking the vehicle, and other operations. These codes -- called rolling codes or hopping code -- should be random, in order to avoid situations when an attacker discovers their sequence and uses the flaw to hijack cars. This is exactly what Wimmenhove did. He created a device that sniffs the code, computes the next rolling code and uses it to unlock cars...

The researcher said he reached out to Subaru about his findings. "I did [reach out]. I told them about the vulnerability and shared my code with them," Wimmenhove told BleepingComputer. "They referred me to their 'partnership' page and asked me to fill in a questionnaire. It didn't seem like they really cared and I haven't heard back from them."
His Subaru-cracking feat -- documented in a video -- was accomplished using a $25 Raspberry Pi B+ and two dongles, one for wifi ($2) and one for a TV ($8), plus a $1 antenna and a $1 MCX-to-SMA convertor.

Itâ(TM)s about price fixing the key market.

I need a new key made for my Late-ish model Subaru and they say itâ(TM)s $350 just for a key. When I demanded to speak to the manager of the parts and service depot and demanded an explanation they only would say âoeitâ(TM)s more secure than the $2.25 key copy you got with your last car at the hardware store.

Clearly thatâ(TM)s not true at all. Can we somehow sue them for price fixing the key market?

Affects 2004-2011 cars

This problem affects 2004-2011 cars and not all of them in those years. This means Subaru fixed this problem probably soon after ROLLJAM became popular.

The issue at hand seems to be that they never went back and issued a voluntary recall for their older cars. On top of that, the article doesn't state who he talked to at Subaru. Honestly, they need a specific way for receiving these kinds of issues because joe blow in the call center isn't going to know how to deal with a report like this.

Re:Affects 2004-2011 cars

[Bryansix]

By the way, ROLLJAMM works even on non-sequential rolling codes if the doesn't invalidate codes expected to be in the past. Yes, it only unlocks the car once but that is all you need.

Re:Physical locking devices

[Bryansix]

Meanwhile, they can still open your trunk and steal whatever is in there and you might no notice until you drive somewhere else.

different problem.

[supernova87a]

The story isn't that the guy found an exploit. There will always be bugs and exploits in a complex system.

The story is that with many large companies, there is no straightforward way for a member of the public to contact someone who is directly responsible for these kinds of issues, which are rising in importance. And/or that there is not someone in the company who has made it their job to actively go out and publicize that they are interested in hearing about such issues.

It happens. Companies get big and fat and distributed, and no one knows whether a particular issue is important or how to own the solution until it gets so big and attention-grabbing that someone at the top realizes they have to put a person on it...

Re: different problem.

[lauren.forte]

I agree completely. I am Tom's wife and I saw all of the effort that he put in to contacting subaru and trying to alert them before he released anything. After over a week Tom decided to post the exploit on github and from there news stations have been contacting him, but the real intention was just to get a hold of subaru to let them know what was going on.

Re: illegal hacker

No legal problem as long as he only opens his own car. Similiar how he can legally break into his own car using a crowbar - and make videos showing how easy that is. When you buy the car it is yours to mess with - including breaking it or spoofing the locks.

Opening a strangers car with a trick device is clearly illegal.

Best Use of the Tech

[Greyfox]

The best use of this tech would probably not be to steal Subarus but rather to offer low-cost backup fobs. Last time I checked, a replacement fob at the dealer will set you back a couple hundred bucks. I bet you could find a price-point in there where you could sell replacements at a reasonable price and still make bank. You could also offer additional features, like being able to open multiple cars for a two (or more) car family.

unpatched key fob

[phantomfive]

Have we really reached the point where we have to patch key fobs?

Re:unpatched key fob

[drinkypoo]

Long since. It's never been a good idea to have remote unlocking without full coverage, though.

Re: illegal hacker

[easyTree]

When you buy the car it is yours to mess with - including breaking it or spoofing the locks.

Ye olde-worlde definition of ownership. Ahhh, fond memories.

Software freedom for all published software.

[jbn-o]

Yes, but there's no reason to trust that Subaru or any Subaru dealer will do the job right the second time. The article makes it clear that Subaru isn't taking this seriously ("I did [reach out]. I told them about the vulnerability and shared my code with them," Wimmenhove told Bleeping. "They referred me to their 'partnership' page and asked me to fill in a questionnaire. It didn't seem like they really cared and I haven't heard back from them." followed by no response from Subaru to the too-corporate-compliant bleepingcomputer.com which won't link to the relevant Github code page). Subaru's response is flatly not the response of an organization that gives a damn and not linking to the relevant code is showing Subaru far too much deference.

The whole thing would be end-user fixable if the vehicle's complete software were free software. Users could run, inspect, share, and modify the code themselves or get someone they have good reason to trust to do the work for them. They wouldn't have to rely on an organization that apparently got it massively wrong the first time, didn't even put up a showing like they cared when shown the exploit they introduced, and so far hasn't done anything to fix.

As it stands now, all Subaru owners can do is ask the proprietors who fucked up the job the first time to take another stab at it—gratis of course—all the while knowing that it will take some helpful hacker like Tom Wimmenhove to look for a different predictable pattern. No Subaru dealer should charge any Subaru owner for applying this or any subsequent lock fix; they should consider themselves lucky if they're not getting sued for selling defective locks in the first place and get their repair costs covered by Subaru.