A duo of security researchers from iSec Parnters demonstrate how easy it can be to unlock a Subaru Outback by using text messages.
Hackers have given new definition to the phrase "search engine optimization," this time by hacking into a Subaru and starting the engine using an Android phone. Two security researchers from iSec Partners demonstrated at the Black Hat security conference in Las Vegas that they could unlock a Subaru Outback and start the engine simply by using an Android. Black Hat is a search method that gives hackers or users practicing unethical searches a chance to manipulate the search engines.
The security researchers have given new definition to manipulating the engine, but this time it's not Google, but in fact Subaru, and the engine produces horsepower instead of search results. With the Android, Don Bailey and Matthew Solnik used a technique known as "war texting," which is a method that allowed them to intercept the password authentication messages between the server and the car. You would think a process like this would take months or years to master, but it only took them a couple of hours to unlock the Outback.
The pair also said that their technique could be used to attack plenty of other systems including traffic control systems and security cameras that receive firmware updates via text messages. This same method can also be used to attack SCADA sensors, which would disrupt the power grid and water supply. Bailey said that he could care less about unlocking a car door but stated that the real threat was with the phone, power and traffic systems. Neither of the guys would go into detail about the hack nor admit which cars are vulnerable until the manufacturers have had a chance to correct the issues.
Several major automakers such as BMW, GM and Mercedes all offer similar remote-control apps. This experiment was not the first time security researchers have played around at controlling cars remotely. In May of 2010, a team from the University of Washington exploited a diagnostic computer system known as the Controller Area Network to operate car locks remotely and disable their brakes. We can only hope that if you Google Subaru Outback security, these guys won't be on top of the search results.