Unpatched Exploit Lets You Clone Key Fobs and Open Subaru Cars

An anonymous reader writes: Tom Wimmenhove, a Dutch electronics designer, has discovered a flaw in the key fob system used by several Subaru models, a vulnerability the vendor has not patched and could be abused to hijack cars. The issue is that key fobs for some Subaru cars use sequential codes for locking and unlocking the vehicle, and other operations. These codes -- called rolling codes or hopping code -- should be random, in order to avoid situations when an attacker discovers their sequence and uses the flaw to hijack cars. This is exactly what Wimmenhove did. He created a device that sniffs the code, computes the next rolling code and uses it to unlock cars...

The researcher said he reached out to Subaru about his findings. "I did [reach out]. I told them about the vulnerability and shared my code with them," Wimmenhove told BleepingComputer. "They referred me to their 'partnership' page and asked me to fill in a questionnaire. It didn't seem like they really cared and I haven't heard back from them."
His Subaru-cracking feat -- documented in a video -- was accomplished using a $25 Raspberry Pi B+ and two dongles, one for wifi ($2) and one for a TV ($8), plus a $1 antenna and a $1 MCX-to-SMA convertor.

Thanks!

[Anonymous Coward]

Now all those Subaru car theft gangs will have a leg up.

I see it all the time. There's a Lexus, Toyota, Ferrari, Porshe, Mercedes and car thieves make a bee line for the Subaru!

Happens all the time!

Re:

[Anonymous Coward]

Not locking the damn doors like that is one of the biggest reasons I like Subaru!

You're dependence on an auto-locking feature will do nothing against carjackers who strike just when someone is going into or out of his or her car.

Re: Thanks!

[Anonymous Coward]

Iâ(TM)m pretty sure you mean Prius owners that drive under the speed limit while hypermiling in the left lane.

Itâ(TM)s about price fixing the key market.

[Anonymous Coward]

I need a new key made for my Late-ish model Subaru and they say itâ(TM)s $350 just for a key. When I demanded to speak to the manager of the parts and service depot and demanded an explanation they only would say âoeitâ(TM)s more secure than the $2.25 key copy you got with your last car at the hardware store.

Clearly thatâ(TM)s not true at all. Can we somehow sue them for price fixing the key market?

Re:

[TechyImmigrant]

I need a new key made for my Late-ish model Subaru and they say itâ(TM)s $350 just for a key. When I demanded to speak to the manager of the parts and service depot and demanded an explanation they only would say âoeitâ(TM)s more secure than the $2.25 key copy you got with your last car at the hardware store.

Clearly thatâ(TM)s not true at all. Can we somehow sue them for price fixing the key market?

Probably, yes. The replacement key thing is a total shakedown. At least you can clone it now.

Re: illegal hacker

[Anonymous Coward]

No legal problem as long as he only opens his own car. Similiar how he can legally break into his own car using a crowbar - and make videos showing how easy that is. When you buy the car it is yours to mess with - including breaking it or spoofing the locks.

Opening a strangers car with a trick device is clearly illegal.

Re: illegal hacker

[easyTree]

When you buy the car it is yours to mess with - including breaking it or spoofing the locks.

Ye olde-worlde definition of ownership. Ahhh, fond memories.

SDR will make more shoddy RF protocols visible

[Anonymous Coward]

The "TV dongle" is one which can be used as a software defined radio. The availability of cheap SDRs will allow more hackers to listen in on protocols that most people could not analyze before. Many more shortcuts and shoddy engineering will be revealed now that people can take a look.

Why havenâ(TM)t they

[Anonymous Coward]

Yet nobody seems to want to steal my 05 Subaru WRX with the busted head gaskets.

Re:

[bill_mcgonigle]

Our third Subaru needed gaskets at 63,000. The one before at 105,000. The '98 went over 150,000 without needing any.

I'm driving a Honda now.

Re:

[jittles]

Our third Subaru needed gaskets at 63,000. The one before at 105,000. The '98 went over 150,000 without needing any.

I'm driving a Honda now.

Mine needed gaskets at about 100,000. Well, actually long before. It started making a funny noise and leaking oil at about 5,000 miles but they insisted that was normal. After my car was out of warranty (by time) they recalled it and offered free head gasket replacement for anyone with my car that was still under warranty. For a known defect in their head gasket. A defect that existed for 15 years before they even contemplated manufacturing my car.

Re:

[Capt.Albatross]

Why go for the crap when the good ones are there for the taking?

Is the correct term "unpatched"?

[Michael Vastola]

Won't all existing fobs have to be reprogrammed?

Re:

[Bryansix]

For 2004-2011 cars? Probably. In fact, they might have to issue new ones altogether.

Software freedom for all published software.

[jbn-o]

Yes, but there's no reason to trust that Subaru or any Subaru dealer will do the job right the second time. The article makes it clear that Subaru isn't taking this seriously ("I did [reach out]. I told them about the vulnerability and shared my code with them," Wimmenhove told Bleeping. "They referred me to their 'partnership' page and asked me to fill in a questionnaire. It didn't seem like they really cared and I haven't heard back from them." followed by no response from Subaru to the too-corporate-comp

What are Subaruâ(TM)s options?

[blake1]

Iâ(TM)m not quite sure how they would âoepatchâ without a recall of all affected models, as there is no OTA upgrade method for these. OTOH, as a driver of a vulnerable car, I would love to extend this feature to be able to unlock my car using my phone via a custom Bluetooth-enabled app. Iâ(TM)d be very interested in getting my hands on the code for my own (legal) personal use. I also think that publishing as much information as he already has is quite irresponsible given that it may n

Re: What are Subaruâ(TM)s options?

[blake1]

I guess Iâ(TM)ve just never heard of a recall for something that isnâ(TM)t directly safety related. By alerting the public to the fact that this vulnerability exists, perhaps this guy has now caused a safety issue, so letâ(TM)s see....

Physical locking devices

[RightwingNutjob]

That's why I have a brake pedal lock that I use religiously on my ten year old Chevy and my wife's brand new VW. Yeah you can get into the car, but you can't drive off with it. The VW has a fatter brake pedal lever than my Chevy, so the lock doesn't fit as well, but it's still more work for a thief that I'd rather be there than not.

Re:

[Bryansix]

Meanwhile, they can still open your trunk and steal whatever is in there and you might no notice until you drive somewhere else.

Re:

[RightwingNutjob]

Good for them. They can have all the fun in the world with my collection of used ice scrapers, windex, and paper towels.

Affects 2004-2011 cars

[Anonymous Coward]

This problem affects 2004-2011 cars and not all of them in those years. This means Subaru fixed this problem probably soon after ROLLJAM became popular.

The issue at hand seems to be that they never went back and issued a voluntary recall for their older cars. On top of that, the article doesn't state who he talked to at Subaru. Honestly, they need a specific way for receiving these kinds of issues because joe blow in the call center isn't going to know how to deal with a report like this.

Re:

[Bryansix]

By the way, ROLLJAMM works even on non-sequential rolling codes if the doesn't invalidate codes expected to be in the past. Yes, it only unlocks the car once but that is all you need.

hey publicity !

[johnjones]

this looks like an old SDR hack... next we will see a garage opener...

Wimmenhove could have signed up to the partnership agreement and got paid but seems to have figured that publicity would be worth more, hey they could have told him to take a running jump like so many other vendors...

honestly why doesn't automotive just use standards and we could all move on with our lives, or are they invested in making money out of keys ?

 

Re: hey publicity !

[Lauren Forte]

This comment is so funny because Tom Wimmenhove did try to sign up for the partnership program and waited over a week to post this online after contacting subaru multiple times... He also did not ask for any publicity it was news sites that contacted him not the reverse... he simply posted a video after a news station requested a demonstration. It isn't Tom's fault that subaru won't make themselves available to have a conversation.

different problem.

[supernova87a]

The story isn't that the guy found an exploit. There will always be bugs and exploits in a complex system.

The story is that with many large companies, there is no straightforward way for a member of the public to contact someone who is directly responsible for these kinds of issues, which are rising in importance. And/or that there is not someone in the company who has made it their job to actively go out and publicize that they are interested in hearing about such issues.

It happens. Companies get big and fat and distributed, and no one knows whether a particular issue is important or how to own the solution until it gets so big and attention-grabbing that someone at the top realizes they have to put a person on it...

Re:

[easyTree]

with many large companies, there is no straightforward way for a member of the public to contact someone who is directly responsible for these kinds of issues, which are rising in importance

Surely you can't be suggesting that someone with authority dirty themselves by communicating with a *disgusted expression* customer ?

Re:

[MountainLogic]

I've always found that a quick search will turn up the name of the general council (head lawyer) for the company. A letter addressed by name to them is ALWAY read. Of course most technologically ignorant corporate lawyers will assume anybody outside their company that tinkers with their stuff or gasp, someone inside the company using open source software, is a criminal and the the legal eagle will go nuclear, file a lawsuit restraining order and/or send the cops after you, but heck it
will get their atten

Re: different problem.

[Lauren Forte]

I agree completely. I am Tom's wife and I saw all of the effort that he put in to contacting subaru and trying to alert them before he released anything. After over a week Tom decided to post the exploit on github and from there news stations have been contacting him, but the real intention was just to get a hold of subaru to let them know what was going on.

Best Use of the Tech

[Greyfox]

The best use of this tech would probably not be to steal Subarus but rather to offer low-cost backup fobs. Last time I checked, a replacement fob at the dealer will set you back a couple hundred bucks. I bet you could find a price-point in there where you could sell replacements at a reasonable price and still make bank. You could also offer additional features, like being able to open multiple cars for a two (or more) car family.

Re:

[karlandtanya]

winner! winner! chicken dinner!
A plain metal key is all that's needed--sometimes *more* than is needed for security.

more than needed refers to some jobs where you park your car and take public transport to the site.
normally you take all your valuables out of the car and leave it unlocked.
that way when the thieves make their rounds they don't have to break the window to see what you got in there

Yah airports have cameras. some people take a crew boat to work.

unpatched key fob

[phantomfive]

Have we really reached the point where we have to patch key fobs?

Re:

[drinkypoo]

Long since. It's never been a good idea to have remote unlocking without full coverage, though.