image many of us have of car thieves with Slim Jims and screwdrivers in
hand might have completely changed as two computer hackers demonstrated
the ability to remotely unlock and then start a vehicle using just
their smart phones.
Two researchers at the Black Hat
annual conference of hackers and security pros last week in Las Vegas
showed they could unlock and start the engine of a Subaru Outback via
text messages using their Android smartphone, according to reports by
CNN Tech and Engadget. The security pros set up their own GSM network
(similar to what a single cell tower would be) and used what they call
"war texting" to exploit the vehicle's remote control system and
intercept password authentication messages over the cell network between
the server and the car. They said their technique could be used to hack
other automakers' remote start systems.
But while it's certainly
unnerving to think that intelligent hackers might be able to steal your
car, the average car thief probably doesn't have the skill set to
accomplish what these proficient security experts can do. But people
like these security nerds can use similar processes to control other
systems, such as traffic signals, security cameras and even the power
"I could care less if I could unlock a car door. It's cool.
It's sexy," Don Bailey, a senior security consultant with iSEC Partners
and one of the pros who hacked the car, told CNN. "But the same system
is used to control phone, power, traffic systems. I think that's the
While these researchers were able to start an
Outback, they may or may not have been able to actually drive it away.
Systems such as the $360 optional remote start for
automatic-transmission Outbacks are intended to require the key to put
it in gear. But that's an electronic control, too. However we believe
they could change all your radio stations and put the air conditioner or
heater on full blast. Now there's some nerdy fun.
McHale, Subaru's director of corporate communications, wouldn't comment
on whether this type of breach is possible, having not observed the
claimed hack, but he told Cars.com an attack such as this could affect
"I don't think it's a Subaru situation," McHale
said. "I think the same technology would work on most cars on the
market." The researchers said they won't provide specifics about how
they accomplished their breach until manufacturers have a chance to
upgrade their systems.
Whether the problem is limited to Subaru or
not is irrelevant - all vehicle manufacturers might want to look into
the possibility of this type of attack.