Subaru key fob vulnerability lets hackers unlock cars

A Dutch electronics designer has discovered how to easily hijack remote keys for Subaru cars, making it possible for anyone to steal vehicles and lock out their owners.

Tom Wimmenhove.

Tom Wimmenhove published instructions for how to build the "SubaruFobRob" car stealing device, using a cheap Raspberry Pi computer to run the exploit along with a transceiver to communicate with cars' remote locking systems over the 433MHz band.

The US$25 device allows attackers to capture the data packets sent from the car key and access the rolling lock and unlock codes that they generate. They can then write this data to a file on the Raspberry Pi.

Wimmenhove said the vulnerability stemmed from a poor implementation of a code generation algorithm in the keys and Subaru cars, meaning the security token is predictable - not random - as it is incremented.

Wimmenhove demonstrating the vulnerability on a Subaru Forester.

"An attacker can 'clone' the key fob, unlock cars and, when increasing the rolling code with a sufficiently high value, effectively render the user's key fob unusable," Wimmenhove wrote.

He suggested that Subaru fix the vulnerability by not using easily predicted sequential rolling lock and unlock codes.

The researcher tested and confirmed the vulnerability on a 2009 Subaru Forester, and claimed it will work on 2005 to 2010 cars of that model.

The vulnerability should also work on 2005-2010 Subaru Legacy and Outback vehicles, as well as Imprezas made from 2004 to 2010 and the 2006 Baja, Wimmenhove said.

He told iTnews the flaw can only be used to get access to cars, not to start engines or disable engine immobilisers.

The researcher said Subaru had been notified of the vulnerability but was yet to respond.

iTnews has contacted the company as to the status of a fix for the issue.