Two security researchers, Sam Curry and Shubham Shah, have uncovered significant vulnerabilities in a Subaru web portal, highlighting the potential dangers of connected car technology. The flaws allowed them to hijack car controls and track driver location data, raising serious privacy and security concerns. The vulnerabilities were reported to Subaru a year ago, leading the automaker to take corrective action. However, this issue is not isolated to Subaru alone, as similar web-based vulnerabilities affect other carmakers, such as Acura, Genesis, Honda, Hyundai, Infiniti, Kia, and Toyota.
The discovery by Curry and Shah has brought to light a critical weakness in the security of connected vehicles. Using the vulnerabilities found in the Subaru web portal, they demonstrated the ability to take control of car functions remotely. This capability underscores the potential for misuse and exploitation by malicious actors, posing a threat not just to individual drivers but also to broader public safety.
The researchers could also access and monitor driver location data through these vulnerabilities. This breach of privacy raises ethical concerns about how such data could be weaponized. Sam Curry emphasized the risk, stating:
“Whether somebody’s cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone.” – Sam Curry
While Subaru has since addressed the reported vulnerabilities, the incident calls attention to a more pervasive security issue within the automotive industry. The increasing integration of connected technology in cars necessitates vigilant and ongoing cybersecurity measures. Simply patching discovered flaws offers only a temporary fix and does not address the root causes of these vulnerabilities.
Curry and Shah's findings serve as a stark reminder of the importance of robust cybersecurity protocols in modern vehicles. As more carmakers incorporate advanced technologies into their models, the potential attack surface for cyber threats expands. This situation mandates a proactive approach to identify and mitigate security risks before they can be exploited.
Leave a Reply