You’re going beyond the capabilities demonstrated for us here. Whether or not those types of abilities could be built if they wanted to, here is what the author demonstrated:
- ez employee account takeover
- as the admin panel employee you can look up the customer’s billing account info and location history, make any changes to the customer account that a customer service employee can
- you can also add an arbitrary account as an authorized user for any customer
- so you can now log into the regular “Subaru owner” mobile app as that account and that’s how the car-impacting parts of this vulnerability were actually performed.
That means you can activate key fob type commands and see the tracking information available through that app.
The reason I point this out is that you said “remotely disable” and “lock you in your car” - and those are both things such an app can’t do. There’s no “disable car” button in those apps.
If it’s anything like my GM car, it takes like 30 seconds for the car to act on each command you send. So you could lock someone out but if they have a key it’ll be easy for them to unlock it before you can re-lock it. And if it’s in motion you can’t stop it from the app. And finally cars don’t support locking in. They are all designed with handles that will open mechanically with either one or two pulls. Worst it can do to stop you is sound your alarm.
- ez employee account takeover - as the admin panel employee you can look up the customer’s billing account info and location history, make any changes to the customer account that a customer service employee can - you can also add an arbitrary account as an authorized user for any customer - so you can now log into the regular “Subaru owner” mobile app as that account and that’s how the car-impacting parts of this vulnerability were actually performed.
That means you can activate key fob type commands and see the tracking information available through that app.
The reason I point this out is that you said “remotely disable” and “lock you in your car” - and those are both things such an app can’t do. There’s no “disable car” button in those apps.
If it’s anything like my GM car, it takes like 30 seconds for the car to act on each command you send. So you could lock someone out but if they have a key it’ll be easy for them to unlock it before you can re-lock it. And if it’s in motion you can’t stop it from the app. And finally cars don’t support locking in. They are all designed with handles that will open mechanically with either one or two pulls. Worst it can do to stop you is sound your alarm.