Subaru security flaws exposed its tracking system for millions of cars

Curry and Shah reported their findings to Subaru in late November, and Subaru quickly fixed its Starlink security flaws. But the researchers warn that the Subaru web vulnerabilities are just the latest in a long series of similar web flaws that they and other security researchers working with them have discovered that have affected more than a dozen automakers, including Acura, Genesis, Honda, Hyundai. , Infiniti, Kia, Toyota and many others. There is no doubt, they say, that there are equally serious hackable bugs in other auto companies’ web tools that have yet to be discovered.

In the case of Subaru, in particular, they also point out that their discovery gives clues to how those with access to the Subaru portal can track the movements of their customers, a privacy problem that will last much longer than the web vulnerabilities that exposed it. “The thing is, even though it’s patched, this functionality will still exist for Subaru employees,” Curry says. “It’s just normal functionality for an employee to be able to look at a year’s worth of location history.”

When WIRED approached Subaru for comment on Curry and Shah’s findings, a spokesperson responded in a statement that “after being notified by independent security researchers, (Subaru) discovered a vulnerability in its Starlink service that could allow a third party access Starlink. accounts. The vulnerability was closed immediately and customer information was never accessed without authorization.”

The Subaru spokesperson also confirmed to WIRED that “there are employees at Subaru of America, depending on their job relevance, who can access location data.” The company offered as an example that employees have that access to share a vehicle’s location with first responders in “All of these individuals receive appropriate training and are required to sign appropriate confidentiality, security and privacy agreements as necessary,” the statement added. Subaru. “These systems feature continually evolving security monitoring solutions to meet modern cyberspace threats.”

Responding to Subaru’s example of notifying first responders about a collision, Curry points out that that would hardly require a year of location history. The company did not respond to WIRED asking to what extent it keeps customer location histories and makes them available to employees.

Shah and Curry’s investigation that led to their discovery of the Subaru vulnerabilities began when they discovered that Curry’s mother’s Starlink app connected to the SubaruCS.com domain, which they realized was an administrative domain for employees. By scanning that site for security flaws, they discovered that they could reset employees’ passwords simply by guessing their email address, giving them the ability to take over the account of any employee whose email they could find. The password reset functionality requested answers to two security questions, but they discovered that those answers were verified with code running locally on a user’s browser, not on Subaru’s server, allowing protection to be easily bypassed. “There were actually multiple systemic failures that led to this,” Shah says.

The two investigators say they found the email address of a Subaru Starlink developer on LinkedIn, took over the employee’s account, and immediately discovered they could use that staff member’s access to search for any Subaru owner by last name. , zip code, email address and telephone number. number or license plate to access your Starlink settings. Within seconds, they could reassign control of that user’s vehicle’s Starlink functions, including the ability to remotely unlock the car, honk the horn, start the engine, or locate the car, as shown in the video below.