Connected Vehicle Cybersecurity: Challenges Continue, as Now-Patched Flaws Show
Flaws in Subaru’s telematics software, discovered by a security researcher, could have been exploited to unlock the doors or provide remote access to a car’s location history. The problems – now fixed by Subaru – underscore carmakers’ ongoing cybersecurity challenges.
In late January, Aaron Guzman, a California-based security researcher, bought a raven-colored 2017 Subaru WRX STI with a spoiler. As a longtime Subaru fan, he bought it out of both personal and professional interest: He wanted to hack it.
Guzman is an expert at dissecting the so-called the internet of things, which refers to the ever-growing class of devices and products using connectivity for expanded features. The car industry is on the vanguard of the IoT trend, integrating telematics units with apps that power an array of entertainment, mapping and remote-control features.
Finding information security design failures in connected vehicles, however, is not a new phenomenon, and related bugs have sometimes been exploited in jaw-dropping ways. In 2015, for example, security researchers Charlie Miller and Chris Valasek remotely braked a Jeep Cherokee while a Wired journalist cruised down a California highway. In light of such efforts, the auto industry, as well as the U.S. government, continue to acknowledge that more cybersecurity work needs to be done.