Jump to content
LegacyGT.com

Unpatched Exploit Lets You Clone Key Fobs and Open Subaru Cars


ehsnils

Recommended Posts

Tom Wimmenhove, a Dutch electronics designer, has discovered a flaw in the key fob system used by several Subaru models, a vulnerability the vendor has not patched and could be abused to hijack cars.

The issue is that key fobs for some Subaru cars use sequential codes for locking and unlocking the vehicle, and other operations.

These codes — called rolling codes or hopping code — should be random, in order to avoid situations when an attacker discovers their sequence and uses the flaw to hijack cars.

https://www.bleepingcomputer.com/news/security/unpatched-exploit-lets-you-clone-key-fobs-and-open-subaru-cars/

453747.png
Link to comment
Share on other sites

These all use the Microchip KeeLoq system. It's been broken for a LONG time actually, this is just a sensationalized headline because someone realized we had that chipset.

 

No real fix, but as we don't have push to start it doesn't really matter anyway. You could replace the OEM keyless entry system with an aftermarket one if it really worries you.

Link to comment
Share on other sites

Agreed, at least we still have real keys for ignition.

 

The annoying downside is your car's contents are a little more theft-able. It's one thing to break a window (which everyone can see/hear), but if you walk up and open it like this no one will bat an eye.

05 LGT 16G 14psi 290whp/30mpg

12 OBP Stock 130whp/27mpg@87 Oct

00 G20t GT28r 10psi 250whp/36mpg

Link to comment
Share on other sites

Well - it's not the powertrain that matters - it's the remote/keyless entry system - no idea if it changed from 2010 to 2011.

 

This is the exploit where they have a receiver that monitors for keyfobs and then essentially records what they send, right? (there was a special on dateline or 60 minutes that illustrated that a while back) So locking with the door vs. locking with your keyfob is the workaround to avoid the exploit. basically, the badguys would have their receiver, look for someone locking their car, then come and use the receiver to transmit the code to the car again, unlocking it.

Link to comment
Share on other sites

Well - it's not the powertrain that matters - it's the remote/keyless entry system - no idea if it changed from 2010 to 2011.

 

This is the exploit where they have a receiver that monitors for keyfobs and then essentially records what they send, right? (there was a special on dateline or 60 minutes that illustrated that a while back) So locking with the door vs. locking with your keyfob is the workaround to avoid the exploit. basically, the badguys would have their receiver, look for someone locking their car, then come and use the receiver to transmit the code to the car again, unlocking it.

 

they most likely did not change it since the car was coming up for a overhaul in '13. It would not make sense for them to change keyless entry only as it means a whole lot of testing to make sure it works with the car's electronics.

 

An internet search show conflicting information as some keys are for 09-11 and others are 11-17 despite being the same key...

Link to comment
Share on other sites

I am not sure what the deal is - for the keyless entry, parts.subaru.com shows 57497AJ10A as being for '11-14, and then 57497AJ00A as being for '10-12...

15+ looks like the same key fob, but they ditched the security key and went to a traditional cut key so the part number is different (57497AL00A)

 

The circuit assembly inside the keyfob is p/n 88036AL01A for 15+, 88036AJ01A is for '10-14 and 88036AJ03A is for 11-14...

 

so it's possible they changed the keyfob from 10 to 11, but maybe they are backwards compatible?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...

Important Information

Terms of Use