Currie and Shah reported their findings to Subaru in late November, and Subaru immediately closed its Starlink security flaws. But the researchers warn that the Subaru Web vulnerabilities are the latest in a long series of similar Web-based flaws they and other security researchers working with them have found that have affected a dozen automakers including Acura, Genesis, Honda, Hyundai Has affected more than 100 car manufacturers. , Infiniti, Kia, Toyota, and many others. He says there's no doubt other auto companies' Web tools contain similarly serious hackable bugs that haven't yet been discovered.
In the case of Subaru, specifically, they also point out that their findings indicate how widely those with access to Subaru's portal can track their customers' activities, a privacy issue that It will last far longer than the web vulnerabilities it exposes. “The thing is, even though it's fixed, this functionality will still be available to Subaru employees,” says Curry. “It's just general functionality that an employee can pull up a year's history of your location.”
When WIRED contacted Subaru for comment on Curry and Shah's findings, a spokesperson responded in a statement that “After being informed by independent security researchers, [Subaru] discovered a vulnerability in its Starlink service that could potentially allow a third party to access Starlink accounts. The vulnerability was immediately closed and no customer information was ever accessed without authorization.
A spokesperson for Subaru also confirmed to WIRED that “Subaru of America has employees who can access location data, depending on the relevance to their job.” The company offered as an example that employees have access to share a vehicle's location with first responders. Case when collision is detected. “All of these individuals receive appropriate training and are required to sign appropriate confidentiality, security and NDA agreements as required,” the statement from Subaru said. “Evolution is underway to address modern cyber threats.”
Responding to Subaru's example of notifying first responders about a collision, Curry said this would hardly require a year's worth of location history. The company did not respond to WIRED asking how far it keeps customers' location histories and makes them available to employees.
Shah and Curry's research that led them to the discovery of Subaru's vulnerabilities began when they discovered that Curry's mother's Starlink app was connected to the SubaruCS.com domain, which they realized was an access point for employees. Was the administrative domain. Upon investigating that site for security flaws, they discovered that they could reset employees' passwords by guessing their email addresses, giving them the ability to take over the account of any employee whose email they could find. The password reset functionality asked for answers to two security questions, but they found that those answers were checked with code that ran locally in the user's browser, not on Subaru's servers, allowing the security to be easily bypassed. Was. “There were really a number of systemic failures that led to this,” says Shah.
The two researchers say they found the email address of a Subaru Starlink developer on LinkedIn, took over the employee's account, and immediately found they could use that employee's access to contact any Subaru owner by last name, zip code, Can to find by email address, phone. number, or license plate to access their Starlink configuration. In a matter of seconds, they can reassign control of that user's vehicle's Starlink features, including the ability to remotely unlock the car, honk its horn, start the ignition, or locate it, as shown below. Shown in the video.