Two security researchers, Sam Curry and Shubham Shah, have uncovered significant vulnerabilities within a Subaru web portal that allowed unauthorized access to car controls and driver location data. These vulnerabilities, discovered more than a year ago, extended beyond Subaru to impact other major carmakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, and Toyota. Following the researchers' report, Subaru promptly addressed and resolved these security flaws. However, the incident raises broader concerns about the robustness of cybersecurity in connected vehicle technology.
The researchers revealed that the vulnerabilities were web-based and specifically tied to a Subaru portal designed for connected car technology. This oversight enabled potential hijacking of vehicle controls and tracking of driver locations, posing substantial privacy and safety risks. Despite the resolution of these particular vulnerabilities, the incident underscores a more pervasive issue affecting the automotive industry as it increasingly integrates connected technology.
Curry and Shah's findings showed that both luxury brands such as Acura and Genesis, as well as mass-market manufacturers like Honda and Hyundai, were not immune to these security lapses. The widespread nature of the vulnerabilities highlights a systemic issue in the automotive sector's approach to cybersecurity. Although Subaru has since fixed the specific flaws reported by the researchers, the need for comprehensive and proactive security measures remains critical.
“Whether somebody’s cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone,” – Sam Curry
The researchers stress that simply identifying and patching individual security flaws is insufficient. They advocate for a more holistic approach to cybersecurity that anticipates potential threats and implements robust safeguards to protect user data and privacy.
Leave a Reply