Key Fobs For Older Subaru Models Hacked

‘DISCLAIMER: Don’t actually steal all the things!’

byJustin Hughes|
Subaru News photo


Hackers are always trying to get into places they're not supposed to be. The bad ones steal your stuff, hold it for ransom, and generally wreak havoc with the place. The good ones use the same methods, but report their findings to the public to make everyone aware of the vulnerability. Fortunately, it was the good hackers who figured out a major vulnerability in one of Subaru's keyless entry systems.

This particular system has not been used since 2011, but many affected cars are still on the road today. They include:

  • 2006 Subaru Baja
  • 2005 - 2010 Subaru Forester
  • 2004 - 2011 Subaru Impreza
  • 2005 - 2010 Subaru Legacy
  • 2005 - 2010 Subaru Outback

It's worth emphasizing that no new Subarus are affected by this vulnerability, nor is the Subaru BRZ, Scion FR-S, or Toyota 86 of any year.

This vulnerability is detailed on GitHub. Essentially, the digital code that the key fob transmits to the car isn't random, but incremental. That means that after listening in to a few commands, it's possible to predict what the next code will be. This can be used to send your own commands to the car to lock and unlock doors, open the trunk, or engage the panic function without a key fob. It's also possible for the hacker to render the original key fobs inoperative, leaving the hacker in sole control of remote access to the vehicle. Utilizing this vulnerability requires a bit of electronic equipment, but nothing particularly rare or expensive. An electronics hobbyist with sufficient skill would be able to replicate these methods without much difficulty.

The write-up on GitHub offers a solution to avoid this vulnerability: don't send the same command twice. For example, you might press the "unlock" button twice to unlock first the driver's door, then all doors. Someone listening in could grab both codes used and figure out the code sequence being used, enabling them to send their own commands. By sending only one command, that second bit of data becomes much more difficult to get. You can still unlock the driver's door remotely then unlock the other doors with the button built into the car.

We've reached out to Subaru for comment on this vulnerability and will update if we hear back.

UPDATE: Subaru has provided the following statement:

"Subaru follows industry standards on keyless entry systems and its vehicles are no more susceptible to an unauthorized vehicle entry than other manufacturers. While this hacker report could be theoretically possible, we do not have any field reports where a customer’s car has been accessed. The Subaru keyless entry system is not connected to the Subaru ignition system; therefore, the car cannot be powered or started without the actual key.

"The Subaru keyless entry system uses a key fob that contains a short-range radio transmitter and must be within (approx.) 50 ft. of a Subaru vehicle equipped with the system to operate. This is a passive system, when a button is pushed on the fob it sends a coded signal by radio waves to a receiver unit in the car which locks or unlocks the door(s) and/or trunk."

Car TechNews by BrandSubaru News