Subaru has left a gaping security flaw that, although fixed, lays modern vehicle privacy concerns bare. Security Researchers Sam Curry and Shubham Shah reported their conclusions (via Cable) about an easily hacked employee web portal. After gaining access, they were able to remotely control a test vehicle and view a year’s worth of location data. They warn that Subaru is far from alone in having lax security around vehicle data.
After security analysts notified Subaru, the company quickly patched the exploit. Fortunately, researchers say less-than-ethical hackers hadn’t violated it before. But they say authorized Subaru employees can still access owners’ location history with just a single piece of the following information: owner’s last name, zip code, email address, phone number phone or license plate.
The hacked admin portal was part of Subaru’s StarLink suite of connectivity features. (No relation with the SpaceX Satellite Internet Service of the same name.) Curry and Shah got in by finding a Subaru StarLink email address on LinkedIn and resetting the worker’s password after bypassing two required security questions – as it took place in the worker’s web browser. the end user, not Subaru’s servers. They also bypassed two-factor authentication by doing “the simplest thing we could think of: removing the client-side overlay from the UI.”
Although the researchers’ tests traced the location of the test vehicle back a year, they cannot rule out the possibility that authorized Subaru employees could go back even further. That’s because the test car (a 2023 Subaru Impreza Curry bought for his mother on the condition he could hack it) had only been in use for that long. The location data was not generalized to a wide swath of terrain, it was excitable to within 17 feet and updated every time the engine started.
“After searching and finding my own vehicle in the dashboard, I confirmed that the StarLink administrator dashboard should have access to almost all Subarus in the United States, Canada and Japan,” said writes Curry. “We wanted to confirm that we weren’t missing anything, so we contacted a friend and asked if we could hack his car to demonstrate that there were no prerequisites or features that would have effectively prevented a taking control of the complete vehicle. She sent us her license plate, we pulled her vehicle up in the admin panel, and then finally added ourselves to her car. »
In addition to tracking their location, the admin portal allowed researchers to start, stop, lock and unlock any Subaru vehicle connected to a star link. They said Curry’s mother never received notifications that they had added themselves as authorized users, nor did she receive alerts when they unlocked her car.
They could also query and retrieve personal information for any customer, including their emergency contacts, authorized users, home address, last four digits of their credit card and vehicle pin. Additionally, they were able to access the owner’s support call history and previous owners of the vehicle, odometer reading, and sales history.
In a statement to Engadget, Subaru communications director Dominick Infante wrote: “Subaru of America, Inc. was informed by independent security researchers of a vulnerability in its StarLink service that had the potential to allow third-party access to StarLink accounts. Subaru patched the vulnerability the same day, and no Subaru vehicle or customer data has ever been accessed without authorization. The independent researchers were able to access two accounts belonging to a family member and a friend who gave them permission to do so. »
Subaru also stressed that its cars cannot be motivated remotely and that the company does not sell location data. It also said that only certain employees can access driver location data based on job suitability.
Security researchers say tracking and security failures – resulting from a single employee’s ability to access “a ton of personal information” – are hardly unique to Subaru. Cable Notes that Curry and Shah’s previous work exposed similar defects affecting vehicles from Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota and others.
The pair believe there are reasons for serious concerns about the industry’s location tracking and poor security measures. “The auto industry is unique in that an 18-year-old employee from Texas can query a vehicle’s billing information in California, and it won’t really set off any alarm bells,” Curry wrote. “It’s part of their normal daily work. Employees all have access to a ton of personal information, and it’s all built on trust. It seems really difficult to truly secure these systems when such broad access is built into the system by default. »
THE Full report from researchers worth a read.
Updated, January 24, 2025, 1:07 p.m. ET: This story has been updated to add a statement from Subaru.
