Subaru’s security flaws exposed its tracking system for millions of cars

Curry and Shah reported their findings to Subaru in late November, and Subaru quickly patched its Starlink security flaws. But the researchers cautioned that Subaru’s web vulnerabilities are just the latest in a long line of similar web-based flaws they and other security researchers working with them have found that have affected more than a dozen automakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota and many others. There is no doubt, they say, that similar serious hackable bugs exist in other car companies’ web tools that have yet to be discovered.

In the case of Subaru, in particular, they also point out that their discovery suggests how widely people with access to Subaru’s portal can track its customers’ movements, a privacy issue that will last far longer than the web vulnerabilities. who revealed it. “The thing is, even though this has been fixed, this functionality will still exist for Subaru employees,” Curry says. “It’s normal functionality that an employee can download your location history for a year.”

When WIRED reached out to Subaru for comment on Curry and Shah’s findings, a spokesperson responded in a statement that “after being notified by independent security researchers, (Subaru) discovered a vulnerability in its Starlink service that could potentially allow a third party to access Starlink accounts. The vulnerability was immediately closed and no customer information was ever accessed without authorization.

A Subaru spokesperson also confirmed to WIRED that “there are employees at Subaru of America, based on their job relevance, who have access to location data.” The company offered as an example that employees have this access to share the location of the vehicle with the first responders in the event of a collision “All such individuals receive appropriate training and are required to sign appropriate confidentiality, security and NDA agreements, if necessary,” Subaru’s statement added. “These systems have security monitoring solutions that are constantly evolving to meet modern cyber threats.”

In response to Subaru’s example of notifying first responders of a collision, Curry notes that this would likely not require a year of location history. The company did not respond to WIRED’s question about how far back it stores customers’ location histories and provides them to employees.

Shah and Curry’s research that led them to the discovery of the Subaru vulnerabilities began when they discovered that Curry’s mother’s Starlink app was linked to the SubaruCS.com domain, which they learned was an administrative domain for employees. By scouring that site for security flaws, they discovered they could reset employee passwords simply by guessing their email address, which enabled them to take over the account of any employee whose email they could find. The password reset feature did ask for answers to two security questions, but they discovered that those answers were verified with code that ran locally in the user’s browser, not on Subaru’s server, making it easy to bypass the security. “There were really multiple systemic failures that led to this,” says Shah.

The two researchers say they found the email address of a Subaru Starlink developer on LinkedIn, took over the employee’s account, and immediately discovered they could use that employee’s access to search for any Subaru owner by last name, zip code, email address, phone number or registration number to access their Starlink configurations. In seconds, they could reassign control of that user’s vehicle’s Starlink features, including the ability to remotely unlock the car, honk the horn, start the ignition or locate, as shown in the video below.