Currie and Shah reported their findings to Subaru in late November, and Subaru quickly patched its Starlink security flaws. But the researchers warn that the Subaru web vulnerabilities are the latest in a long line of similar web-based flaws that they and other security researchers they work with have found affecting more than two dozen automakers, including Acura, Genesis, Honda, Hyundai has placed , Infiniti, Kia, Toyota, and many others. They say there is little doubt that there are similar hackable bugs in other car companies’ web tools that have yet to be discovered.
In Subaru’s case in particular, they also point out that their discovery reveals the extent to which people accessing Subaru’s portal can track its customers’ movements, a privacy issue that goes far beyond the web vulnerabilities that make it so. have disclosed, it will continue. “The possibility is that even though this has been patched, this functionality is still available to Subaru employees,” Carey said. “It’s a normal function for an employee to collect a year’s worth of your location history.”
When WIRED reached out to Subaru for comment on Carey and Shah’s findings, a spokesperson responded in a statement that, “After being notified by independent security researchers, [Subaru] discovered a vulnerability in its Starlink service that could potentially allow third parties to access Starlink accounts. “The vulnerability was immediately closed and customer data was never accessed without authorization.”
A Subaru spokesperson also confirmed to WIRED that “there are employees at Subaru of America, based on their employment relationship, who can access location data.” The company gave the example that employees have access to share a vehicle’s location with first responders. In the event that a collision is detected, Subaru’s statement says, “All such individuals receive appropriate training and are required to sign privacy, security and NDA agreements.” These systems have security monitoring solutions that are continuously being developed to deal with modern cyber threats.
In response to Subaru’s example of notifying first responders of a collision, Curry points out that it barely needs a year’s worth of location history. The company did not respond to WIRED when it asked how long it keeps customers’ location history and makes it available to employees.
Shah and Carey’s research that led them to discover the Subaru vulnerabilities began when they discovered that Corey’s mother’s Starlink program was connected to the SubaruCS.com domain, which they realized was an administrative domain for employees. By scouring the site for security flaws, they discovered that they could reset employee passwords simply by guessing their email addresses, which would allow them to access the accounts of any employee whose email they could find. to find, to possess The password reset function required answers to two security questions, but they found that those answers were checked by code that ran locally in the user’s browser, not on Subaru’s server, making it easy to bypass the protection. “There were really several systemic failures that led to this,” says Shah.
The two researchers say they found the email address of a Subaru Starlink developer on LinkedIn, took over the employee’s account, and immediately realized they could use that employee’s access to search for a Subaru owner by last name, zip code, email address, use the phone Vehicle number or license plate to access Starlink settings. Within seconds, they can reassign control of that user’s car’s Starlink features, including the ability to remotely unlock, honk, start the ignition, or locate it, as shown in the video below. .
