AUTONEWS

Subaru vulnerability exposed millions of cars to remote hacking and tracking

Security researchers have uncovered alarming vulnerabilities in Subaru's Starlink system, potentially exposing millions of vehicles to unauthorized access and extensive location tracking. While Subaru has said that it doesn't sell location data, the potential for misuse is a significant concern.

The discovery began when Sam Curry, having purchased a 2023 Impreza for his mother, decided to examine its internet-connected features during a Thanksgiving visit.

Curry and fellow researcher Shubham Shah found they could hijack control of various vehicle functions, including unlocking doors, honking the horn, and starting the ignition. However, what Curry found most disturbing was the ability to access detailed location history. "You can retrieve at least a year's worth of location history for the car, where it's pinged precisely, sometimes multiple times a day," Curry told Wired. He added, "Whether somebody's cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone."

The researchers began by identifying a weakness in the password reset functionality on the SubaruCS.com site, an administrative portal intended for Subaru employees. By simply guessing an employee's email address, they could initiate a password reset process, exposing a critical flaw in the system's design.

Further investigation revealed that while the site did ask for answers to two security questions during the reset process, these were verified using client-side code running in the user's browser rather than on Subaru's servers. This oversight allowed the researchers to easily bypass the security questions, highlighting a significant lapse in the company's cybersecurity measures. "There were really multiple systemic failures that led to this," Shah told Wired.

Curry and Shah then used LinkedIn to locate the email address of a Subaru Starlink developer, exploiting the vulnerabilities to take over this employee's account, which granted them access to sensitive information and controls. The compromised account allowed the pair to look up any Subaru owner using various personal identifiers such as last name, zip code, email address, phone number, or license plate.

Moreover, they discovered that they could access and modify Starlink configurations for any vehicle, as well as reassign control of Starlink features. This included the ability to remotely unlock cars, honk horns, start ignitions, and locate vehicles.

Location Storage...Storing the location of Subaru vehicles has raised additional concerns about customer data privacy. According to the automaker, location data is necessary to be shared with first responders in the event of an accident. However, the fact that Subaru keeps a detailed history of all locations visited by the vehicle over the course of a year has raised questions about the necessity and security of such storage.

To protect this information, Subaru has stated that its employees who have access to location data sign several confidentiality agreements. Despite this, concerns remain that if the system were hacked, the data could be used for malicious purposes, such as theft or stalking.

This type of monitoring is not unique to Subaru; other automakers also use similar systems. This highlights the importance of developing more secure technologies that protect customer privacy and prevent sensitive information from being exploited by criminals. Solving this issue is crucial to maintaining consumer trust and ensuring their safety.

Mundoquatrorodas