Hackers Unlock, Start Subaru Outback With Cell Phone

It reads like a scene pulled from a bad techno-thriller: a gang of hackers use a smart phone to remotely unlock and start up a car’s engine, stealing the automobile without ever having to pick a lock. Unfortunately for Subaru owners, fantasy has become reality. This past week, a team of computer security researchers demonstrated their ability to use an Android phone to command a Subaru Outback to open its door locks and start its ignition.

The demonstration was done at the Black Hat convention, which is a meeting of computer security professionals that takes places in Las Vegas. The Black Hat Technical Security Conference has been a gathering point for those on both sides of the computer security fence – hackers looking to exploit weaknesses in information systems, and professionals trained to plug potential network holes – since 1997.

According to an article published by SC Magazine, Don Bailey and Matthew Solnik employed a technique they call “war texting,” which allowed them to setup a Global System for Mobile Communications (GSM) network that could intercept the messages being sent between the Subaru Outback test car and the server that controls its software updates and other remotely-transmitted information. By using their own GSM network to snoop out information contained in data packets on the network used by the Subaru, over the period of a few hours the pair of security experts were able to mimic the identity of the server that authorizes unlock and ignition requests, essentially giving them an all-access pass to these aspects of the Outback’s systems.

Should drivers be worried about this type of car hacking? In a word, no. Vehicle theft typically doesn’t involve, or even require this level of sophisticated data espionage. Most of the time, thieves enter a vehicle using physical means, such as a broken window, a slim jim or some other lock-defeating device.

Solnik and Bailey have not made public the name of the specific software programs and platforms that they targeted with their text-message attack. The Black Hat demonstration was intended to show automakers that should they not take proper security precautions when developing their automotive software, then it is entirely possible that individuals with less than honorable intentions will gain access to more important systems and cause greater damage. For example, the potential for chaos is amplified should hackers sit in the street after hours in front of a dealership and remotely disable vehicle software on a large scale.

There’s no need to wrap your Subaru in tinfoil – the old advice for theft prevention is still as valid now as it was before cell phones became remote controls for modern cars. Just keep locking your doors, make sure not to park in dark, secluded areas overnight and try not to leave valuables visible in your automobile while it is sitting on the street. These simple tips will go a long way towards making sure you don’t end up a vehicle theft victim.