Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Curry and Shah reported their findings to Subaru in late November, and Subaru quickly patched the Starlink security flaws. But the researchers caution that the Subaru web vulnerabilities are just the latest in a series of similar web-based flaws that they and other security researchers working with them have discovered that have affected many automakers, including Acura, Genesis, Honda, Hyundai, and more. , Infiniti, Kia, Toyota and many others. They say other car companies’ web tools have serious hackable bugs that haven’t been discovered yet.
In the Subaru case in particular, they also note that their discovery points to how those with access to Subaru’s portal could broadly track the movements of their customers, a privacy problem that will outlast the web vulnerabilities that exposed it. “The thing is, even though this patch is fixed, this functionality will still be available to Subaru employees,” Curry said. “It’s just normal functionality for an employee to be able to collect a year’s worth of your location history.”
When WIRED contacted Subaru for comment on Curry and Shah’s findings, a spokesperson responded in a statement that “after being alerted by independent security researchers, (Subaru) discovered a vulnerability in the Starlink service that could allow a third party to access Starlink.” accounts. The vulnerability was closed immediately and no customer data was accessed without permission.”
A Subaru spokesperson also confirmed to WIRED that “Subaru of America has employees who can access location data based on job eligibility.” As an example, the company suggested that employees have the ability to share a vehicle’s location with first responders. “All such individuals receive appropriate training and are required to sign appropriate confidentiality, security and NDA agreements as appropriate” when a conflict is discovered. “These systems have security monitoring solutions that are constantly evolving to meet modern cyber threats.”
In response to Subaru’s example of notifying first responders of a collision, Curry notes that it hardly requires a year’s worth of location history. The company did not respond to WIRED’s inquiry about how long it keeps customers’ location histories and makes them available to employees.
Shah and Curry’s investigation that led them to uncover Subaru’s vulnerabilities began when they realized that Curry’s mother’s Starlink software was connected to the SubaruCS.com domain, which was an administrative domain for employees. Examining that site for security flaws, they found that they were able to reset employees’ passwords simply by guessing their email addresses, giving them the ability to hijack any employee’s account whose email they could find. The password reset feature asked for answers to two security questions, but they found that those answers were checked by code running locally in the user’s browser, not on Subaru’s server, allowing the protection to be easily bypassed. “There were really a lot of system failures that led to this,” says Shah.
The two researchers said they found a Subaru Starlink developer’s email address on LinkedIn, intercepted the employee’s account, and immediately used that employee’s login to search for any Subaru owner by last name, zip code, email address and phone. number or license plate to access their Starlink configurations. In seconds, they can reset control of that user’s car’s Starlink functions, including the ability to remotely unlock, honk, start the ignition, or locate the car, as shown in the video below.
