Curry and Shah reported their findings to Subaru in late November, and Subaru quickly patched its Starlink security flaws. But the researchers warn that the Subaru web vulnerabilities are just the latest in a long line of similar web-based flaws that they and other security researchers working with them have found have affected more than a dozen automakers. cars, including Acura, Genesis, Honda, Hyundai. , Infiniti, Kia, Toyota, and many others. There is little doubt, they say, that there are similarly serious hacking bugs in the web tools of other auto companies that have yet to be discovered.
In the case of Subaru, in particular, they also indicated that their discovery suggests how pervasively those who have access to the Subaru portal can track the movements of their customers, a privacy problem that will last much longer than the vulnerabilities of the web that exposed it. “The thing is, even if it’s patched, this functionality will still exist for Subaru employees,” says Curry. “It’s just normal functionality that an employee can take a year of the history of your situation.”
When WIRED reached out to Subaru for comment on Curry and Shah’s findings, a spokesperson responded in a statement that “after being notified by independent security researchers, (Subaru) discovered a vulnerability in its Starlink service that could allow a third party to access Starlink accounts. The vulnerability was immediately closed and no customer information was ever accessed without authorization.”
The Subaru spokesperson also confirmed to WIRED that “there are employees at Subaru of America, based on their job relevance, who can access location data.” the case when a collision is detected “All these individuals receive proper training and are required to sign the appropriate privacy, security and NDA agreements,” Subaru’s statement added The systems have security monitoring solutions in place that are constantly evolving to respond to modern cyber threats.”
Responding to Subaru’s example of notifying first responders about a collision, Curry notes that it would hardly require a year of location history. The company did not respond to WIRED asking how far it keeps customers’ location history and makes it available to employees.
Shah and Curry’s research that led them to the discovery of Subaru’s vulnerabilities began when they found that Curry’s mother’s Starlink app connected to the SubaruCS.com domain, which they realized was an administrative domain for the employees. Scouring this site for security flaws, they found that they could reset employees’ passwords just by guessing their email address, which gave them the ability to take over the account of any employee whose email they were able to find. The password reset feature required answers to two security questions, but they found that the answers were verified with code that ran locally on the user’s browser, not on Subaru’s server, allowing the safeguard to be easily ignored. “There were really many systemic failures that led to this,” says Shah.
The two researchers say they found the email address for a Subaru Starlink developer on LinkedIn, took over the employee’s account, and immediately found they could use that staffer’s access to search for any Subaru owner by last name, postal code, email address, telephone. number, or tag to access their Starlink settings. In seconds, they could then reassign control of that user’s vehicle’s Starlink features, including the ability to remotely unlock the car, honk the horn, start its ignition, or locate it, as shown in the video below.
https://media.wired.com/photos/679163ea81b10acbc3e4f33b/191:100/w_1280,c_limit/security_subaru_getty.jpg
2025-01-23 15:00:00
