In late January, Aaron Guzman, a California-based security researcher, bought a raven-colored 2017 Subaru WRX STI with a spoiler. As a longtime Subaru fan, he bought it out of both personal and professional interest: He wanted to hack it.
Guzman is an expert at dissecting the internet of things, which refers to the ever-growing class of devices and products using connectivity for expanded features. The automotive industry is on the vanguard of the IoT trend, integrating telematics units with apps that power an array of entertainment, mapping and remote-control features.
Finding information security design failures in connected vehicles, however, is not a new phenomenon, and bugs have sometimes been exploited in jaw-dropping ways. In 2015, for example, security researchers Charlie Miller and Chris Valasek remotely braked a Jeep Cherokee while a Wired journalist cruised down a California highway. In light of such efforts, the auto industry, as well as the U.S. government, continue to acknowledge that more cybersecurity work needs to be done.
Guzman's analysis of his new Subaru, however, shows that there is still much room for improvement. In particular, he found eight software vulnerabilities that could be exploited to let unauthorized people unlock the doors, honk the horn and access the vehicle's location history, among other misdeeds.
Guzman's findings are "not at all surprising," says Ross Anderson, a professor of security engineering at the University of Cambridge.
"Microsoft's chief scientist Butler Lampson once said that you can't expect decent software from companies that don't have a career structure for programmers," says Anderson, who recently co-authored a paper exploring the long-term safety and liability issues related to software patching. "Car companies are dominated by mechanical engineers and salesmen."
Shortly after he bought the car, Guzman started writing an email to Samy Kamkar, a well-known hacker, asking for Kamkar's help in analyzing Subaru's in-car entertainment, safety and remote access service, called Starlink. But Guzman discovered issues in Starlink even as he worked on crafting the email to Kamkar.
"It was quick," says Guzman, who is also a Los Angeles board member for the Open Web Application Security Project, better known as OWASP. "When I found all the different vulnerabilities, it literally took me two to three days."
Guzman focused on how the iOS and Android mobile apps and the web app communicate with Subaru's Starlink servers. He found eight vulnerabilities, which when used in various combinations, could allow him to add other users to a Starlink account.
Those users would then be able to access the vehicle's usage history, including location, as well as unlock doors and honk the horn. Starlink, however, doesn't control kinetic functions such as braking or acceleration
One of the main problems Guzman found was that Subaru's mobile apps used a randomly generated token to allow access once someone has authenticated. That's normal. But according to good web application security practices, tokens should expire after a short time to prevent reuse. The Starlink token, however, perpetually logs in Subaru users. It's also sent over a URL and is cached in clear-text databases, Guzman says.
The iOS, Android and web apps all behaved a bit differently, but the web app appeared to be the most insecure: It sends the token over the URL as a parameter. The token also never expired, even when Guzman changed his password.
The researcher found he could then craft remote service requests using that token and send them over the web. Subaru's servers, satisfied that the token was enough to confirm that the request had come from an authorized user, would execute the command. Subaru doesn't check to see where the request is coming from either, whether via iOS, Android or the web.
From there, Guzman could add other users to an account by entering their email addresses. The new users get emails from Subaru and are then invited to create passwords for accounts.
"They have their own account, but they also have full access to the car - the same as you," Guzman says. "The owner wouldn't know. You don't get an email. You don't get a broadcast. No notifications."
Different Year, Same Flaw
There's irony in Guzman's latest findings. Last year, he had a 2016 Subaru. It lacked the telematics unit, but Subaru had a mobile app that owners could use to track vehicle maintenance. It also used a token that didn't expire, which Guzman says he reported and Subaru fixed. But the same vulnerability appeared again this year.
Subaru "must have re-merged the code and reintroduced the vulnerabilities," he says.
So how would an attack work? There are preconditions: An attacker would have to know, for example, that the victim has a 2017 Subaru - or later - with Starlink installed. The key to Guzman's attack is capturing the token that gets generated, and there are a variety of ways to do this.
One way is by exploiting a cross-site scripting - aka XSS - vulnerability that Guzman also found. It's one of the most common web application development errors, and in this case involves executable code from another source being allowed to run in the web app. This flaw can be used to steal data.
To demonstrate the risk, Guzman developed an XSS payload that could grab the token, although it would require the victim to take some action, such as clicking a malicious link.
Alternately, an attacker might execute a man-in-the-middle attack on the same network being used by the victim, or otherwise trick the victim into surrendering a copy of the token, Guzman says.
Charlie Miller's Analysis
Miller, the Jeep Cherokee hacker, reviewed Guzman's findings for ISMG and says executing an attack against a Subaru would be tricky.
"Unlike Facebook or Twitter, people don't communicate with the Subaru servers very often, and so it is a very difficult attack to pull off," he says. "Compare this to the Jeep attack where the only requirement was the car is on. It required no proximity or interaction by the victim."
Guzman reported the flaws to Subaru in February, and he says the company has been responsive. Most of the flaws have been fixed, although Guzman has continued to keep a close eye on updates to the apps.
In a statement to ISMG, Subaru says the flaws found by Guzman "allowed him to access his own account and vehicle data."
That is technically true. But Guzman only probed the flaws using his own account because using other accounts - especially without permission - would violate computer crime laws.
Subaru also contends that any risk to users "was minimal."
In many ways, Subaru's errors pose less risk than Miller and Valasek's Jeep hack, and are also easier to fix, because they can be remotely patched by the automaker. The Jeep Cherokee findings caused its automaker, Fiat Chrysler Automobiles, to recall 1.4 million vehicles to fix the flaws in UConnect telematics system.
Despite increased concerns around the security connected vehicles, however, the Subaru flaws show a major carmaker continuing to make preventable coding mistakes that put car owners' privacy, and potentially more, at risk.
Subaru doesn't have a bug bounty program. Such reward schemes have been implemented by other car companies, including Fiat Chrysler. But Subaru did at least credit Guzman with finding the bugs, and the Subaru-loving researcher says that's sufficient.
"I was just happy with giving me credit," Guzman says. "I just did it more for fun. It's a fun car."