Useful information

Prime News delivers timely, accurate news and insights on global events, politics, business, and technology

Subaru’s poor security left a lot of vehicle data easily accessible

Subaru left open a huge security flaw that, although patched, exposes the countless privacy problems of modern vehicles. Security researchers Sam Curry and Shubham Shah reported their findings (through cabling) about an easily hacked employee web portal. After gaining access, they were able to remotely control a test vehicle and view a year’s worth of location data. They warn that Subaru is not alone in having lax security around vehicle data.

After security analysts notified Subaru, the company quickly patched the exploit. Fortunately, researchers say it hadn’t been breached before by unethical hackers. But they say authorized Subaru employees can still access owners’ location history with just a piece of the following information: the owner’s last name, zip code, email address, phone number or license plate.

The hacked management portal was part of Subaru’s Starlink connectivity feature set. (No relation to the SpaceX satellite Internet service of the same name.) Curry and Shah got in by finding a Subaru Starlink employee’s email address on LinkedIn and resetting the worker’s password after bypassing two required security questions, because it took place on the end user’s account. web browser, not Subaru servers. They also bypassed two-factor authentication by doing “the simplest thing we could think of: removing the client-side overlay from the UI.”

Although investigators’ evidence tracked the location of the test vehicle a year ago, they can’t rule out the possibility that authorized Subaru employees could snoop even further afield. That’s because the test car (a 2023 Subaru Impreza Curry he bought for his mother on the condition that he could hack it) had only been in use during that time. The location data also did not generalize to a wide swath of land: It was accurate to less than 17 feet and was updated every time the engine was started.

“After searching and finding my own vehicle on the dashboard, I confirmed that the Starlink admin panel should have access to virtually any Subaru in the United States, Canada, and Japan,” Curry wrote. “We wanted to confirm that we weren’t missing anything, so we contacted a friend and asked if we could hack her car to prove that there were no prerequisites or features that would have prevented her from fully purchasing the vehicle. She sent us her license plate, we stopped her vehicle at the admin panel and finally added ourselves to her car.”

In addition to tracking its location, the management portal allowed researchers to remotely start, stop, lock and unlock any Starlink-connected Subaru vehicle. They said Curry’s mother never received notifications that they had been added as authorized users, nor did she receive alerts when her car was unlocked.

They could also view and retrieve any customer’s personal information, including their emergency contacts, authorized users, home address, the last four digits of their credit card, and vehicle PIN. Additionally, they were able to access owner support call history and previous owners of the vehicle, odometer reading, and sales history.

In a statement to Engadget, Subaru communications director Dominick Infante wrote: “Subaru of America, Inc. was notified by independent security researchers of a vulnerability in its Starlink service that had the potential to allow third parties access to Starlink accounts. Subaru fixed the vulnerability that same day and no Subaru vehicles or customer data were ever accessed without authorization. Independent investigators were able to access two accounts belonging to a family member and a friend who gave them authorization to do so.”

Subaru also emphasized that its cars cannot be driven remotely and that the company does not sell location data. It also said that only certain employees can access driver location data depending on job relevance.

Security researchers say the tracking and security flaws, stemming from a single employee’s ability to access “a ton of personal information,” are not unique to Subaru. cabling notes that Curry and Shah’s previous work exposed similar flaws affecting vehicles from Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota and others.

The couple believes there is reason to be seriously concerned about the industry’s location tracking and poor security measures. “The auto industry is unique in that an 18-year-old employee in Texas can look up billing information for a vehicle in California, and that won’t really set off any alarms,” ​​Curry wrote. “It’s part of their normal daily work. All employees have access to a large amount of personal information and it is all based on trust. It seems really difficult to secure these systems when such extensive access is built into the system by default.”

He researchers’ full report It’s worth reading.

Update, January 24, 2025, 1:07 pm ET: This story has been updated to add a statement from Subaru.

Christmas Discounts

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

Los Angeles fire death toll rises to 24 as strong winds expected
Los Angeles fire death toll rises to 24 as strong winds expected
Firefighters continually fight to control Los Angeles wildfires after 3 days
Firefighters continually fight to control Los Angeles wildfires after 3 days
California prohibits cancellation and non-renewal of insurance in areas of Los Angeles affected by fires
California prohibits cancellation and non-renewal of insurance in areas of Los Angeles affected by fires
Luigi Mangione Pleads Not Guilty to Murder, Terrorism Charges in Killing of UnitedHealthcare CEO