Two cybersecurity researchers recently uncovered a critical vulnerability in a Subaru web portal that allowed unauthorized access to millions of vehicles.
According to a Wired report, the flaw enabled remote unlocking, engine activation, and real-time tracking of driver locations, raising significant concerns about automotive cybersecurity.
The researchers, Sam Curry and Shubham Shah, reported their findings to Subaru, which has since patched the security loophole. However, they caution that addressing individual vulnerabilities is merely a temporary fix to a much larger problem: the growing risks associated with connected car technologies.
The breach was discovered through a web portal designed for Subaru employees, which inadvertently granted access to key vehicle functions. Exploiting this vulnerability, the researchers demonstrated their ability to remotely start a test car, pinpoint its location, and retrieve a year’s worth of location data.
“Whether somebody’s cheating on their spouse, seeking medical services, or involved in political activism, there are countless ways this kind of data access could be misused,” Curry explained to Wired.
The incident reveals a broader industrywide issue. The researchers noted that similar vulnerabilities exist in the connected systems of several other major automakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, and Toyota. As long as employee-accessible databases store such sensitive information, the risk of exploitation remains high.
Main Image: Tech Radar