Unpatched Vulnerability Lets Hackers Clone Key Fobs for Some Subaru Models

By Riley ThompsonTechnology News

Unpatched Vulnerability Allows Cloning of Key Fobs for Certain Subaru Models

Dutch engineer Tom Wimmenhove has discovered that some Subaru car models use vulnerable radio key fobs that can be easily cloned by attackers. The issue, identified by Wimmenhove, is that certain Subaru key fobs use sequential codes for locking, unlocking, and other operations. For security, these codes should be random and use so-called “rolling codes” to prevent attackers from intercepting the signal and predicting the sequence.

Wimmenhove conducted tests on his own car and confirmed that, due to the use of sequential codes, he could easily intercept the key fob signal while being near the targeted vehicle. In practice, this allows the creation of a fully functional “clone” of the original key fob.

According to the expert, to successfully carry out such an attack, it is enough to intercept just one packet when the car owner presses any button on their key fob. After that, the attacker can unlock the doors and trunk, and disable the alarm system. In short, this vulnerability is a real gift for car thieves. A proof-of-concept video demonstrating the attack can be seen below.

Watch the demonstration video on YouTube

Wimmenhove told journalists from Bleeping Computer that this attack does not require expensive equipment or deep technical knowledge. For his tests, he used a Raspberry Pi B+ ($25), a Wi-Fi dongle ($2), and a TV dongle ($8). The first two components can be replaced with a Raspberry Pi Zero W ($10), which has built-in Wi-Fi. The attacker would also need a battery, a 433 MHz antenna ($1), and an MCX-SMA converter ($1).

Wimmenhove reports that he conducted his tests on a 2009 Subaru Forester, but other models are also affected:

  • 2006 Subaru Baja
  • 2005–2010 Subaru Forester
  • 2004–2011 Subaru Impreza
  • 2005–2010 Subaru Legacy
  • 2005–2010 Subaru Outback

There is currently no patch for this vulnerability, although the researcher contacted Subaru developers and provided them with detailed information about the issue. The company redirected him to a “partner” page and asked him to fill out a questionnaire. Wimmenhove chose not to complete the form, and Subaru representatives have not contacted him since.

Leave a Reply