Subaru

Tom Wimmenhove, a Dutch electronics designer, has discovered a flaw in the key fob system used by several Subaru models, a vulnerability the vendor has not patched and could be abused to hijack cars.

The issue is that key fobs for some Subaru cars use sequential codes for locking and unlocking the vehicle, and other operations.

These codes — called rolling codes or hopping code — should be random, in order to avoid situations when an attacker discovers their sequence and uses the flaw to hijack cars.

Car thieves can create duplicate, fully-working key fobs

Wimmenhove discovered the problem by sniffing the radio signals sent out by his own car's key fob, which is nothing more than a short-range radio transmitter.

The electronics expert quickly realized that he could "clone" the key fob and create a fully-working, unauthorized duplicate.

"By receiving a single packet from the key fob (i.e. the user pressed any of the buttons on the fob while the attacker was within range), the attacker can use that packet to predict the next rolling code and use that to lock, unlock, unlock trunk or sound the alarm of the car," Wimmenhove told Bleeping Computer.

Attack rig created using off-the-shelf electronic components

The vulnerability is easy to exploit and doesn't require advanced coding skills. The cyber-criminal underworld is full of hardware hackers that could easily replicate what Wimmenhove achieved.

A car thief would need to create a simple rig that can pick up the key fob's radio signal, compute the next rolling code, and send out a similar radio signal back to the car after the owner has left.

The rig to carry out such attacks is not even expensive, varying from $15 to $30, depending on price and used components.

"Currently, I'm using a Raspberry Pi B+ ($25), a Wi-Fi dongle ($2) and a TV dongle ($8), but the Raspberry Pi B+ and WiFi dongle could both be replaced with a single Raspberry Pi Zero W ($10), which has WiFi on board," Wimmenhove told Bleeping.

"Then you need a 433MHz antenna ($1) and an MCX to SMA convertor ($1) to stick the antenna onto the dongle," he added. "Finally, you need something to power the thing. I'm assuming most people have some kind of Lithium-Ion power bank laying around. If not, they don't cost much either."

Several Subaru models affected

Wimmenhove tested the rig on his own 2009 Subaru Forester, but says the exploit should also work on the following models:

2006 Subaru Baja
2005 - 2010 Subaru Forester
2004 - 2011 Subaru Impreza
2005 - 2010 Subaru Legacy
2005 - 2010 Subaru Outback

Bleeping Computer asked the researcher to prove his work, and the following video was provided at request:

Subaru is aware but has not patched the issue

The researcher also said he reached out to Subaru about his findings.

"I did [reach out]. I told them about the vulnerability and shared my code with them," Wimmenhove told Bleeping. "They referred me to their 'partnership' page and asked me to fill in a questionnaire. It didn't seem like they really cared and I haven't heard back from them."

Subaru did not respond to three requests for comment from Bleeping Computer made over 36 hours before publication.

The code needed to run Wimmenhove's attack rig, along with instructions, are now on GitHub. Bleeping Computer is not sharing the link in this article.