Unlocking a Subaru with a Raspberry Pi, a 433MHz Radio, and an Unpatched Exploit

The Subaru #fobrob exploit

Alasdair Allan
2 min readOct 17, 2017

It’s easy to get worn down with security news. Today a major protocol level flaw in WPA2 WiFi encryption was announced. Then, just a few hours later, a factorisation flaw in TPM chips was revealed that compromised millions of high security keys, including those used in the Estonian e-Residency programme. It’s sometimes difficult explain for those of us involved what these problems mean to the millions of people they affect.

But sometimes there’s an exploit that’s so self obviously bad that it doesn’t need much explanation. Enter #fobrob, discovered by Tom Wimmenhove, a Dutch electronics designer.

A demonstration of the Subaru fobrob exploit. (📹: Tom Wimmenhove)

It turns out that the rolling code used in the key fobs for some models of Subaru are, “…predictable in the sense that it is not random. It is simply incremental.” That means that if you sample some data, and know the secret algorithm for how the code evolves over time, you can lock and unlock the car without the key fob.

Wimmenhove built the proof of concept exploit hardware around a Raspberry Pi running rptix with a DBV-T USB dongle and a 433MHz antenna. Total cost is probably around $40, not including the plastic sandwich box.

Proof of concept exploit hardware. (📷: Tom Wimmenhove)

If all of this wasn’t bad enough it’s being reported that the attacker can also brick the owner’s own key fob with an integer overrun and render the user’s own key fob useless.

The exploit has only been tested on a 2009 Subaru Forester but the same fob is used, and the exploit should work on, the 2006 Baja, the 2005–2010 Forester, the 2004–2011 Impreza, the 2005–2010 Legacy, and the 2005–2010 Outback. The exploit is currently remains unpatched, and Subaru has not replied to a request for comment.

You can a full description of the vulnerability on GitHub, along with proof of concept code. Which is sort of worrying, because as far as I can make out this vulnerability hasn’t gone through any sort of responsible disclosure process.