Subaru has a large security defect, and although patches are applied, there are countless privacy issues in modern cars. Security researchers, Samkary and Schubam Shah, reported (via WIRED) that employees’ web portals would be easily hacked. After obtaining access, the test vehicle can be remotely controlled and the location data for one year can now be displayed. They warning that Subaru is not only Subaru’s security for vehicle data.
After security analysts notified Subaru, the company immediately applied patches to the Exploit. Fortunately, researchers have stated that there was no invasion of hackers lacking ethics. However, Subaru’s regular employees can still access the owner’s position history if only one information such as the owner’s surname, postal code, e -mail address, phone number, and license plate.
The hacked management portal was part of Subaru’s STARLINK suite connection function. (It has nothing to do with the same name SPACEX satellite Internet service.) Curry and Shah find the e -mail address of Subaru Star Link employees in Linkedin, avoid the two essential security questions, and then passwords the employees. I invaded by resetting. Because it was done with the end user’s password. It is not a Subaru server, but a web browser. In addition, two -factor authentication has been bypassed by “the simplest method, that is, the client’s overlay from the UI”.
In the tests of researchers, the test vehicle was able to go back to the test vehicle, but it is not possible for Subaru regular employees to look back further. This is because the test car (the 2023 Subaru Impreza Curry, which I bought for my mother under the condition of being able to hack) was used for that period. The location data was not generalized on a wide range of land, but up to less than 17 feet and was updated every time the engine started.
“After searching for and finding your car on the dashboard, you can confirm that almost all Subaru cars in the United States, Canada and Japan are accessible from the Starlink management dashboard,” says Curry. “We wanted to confirm that there was nothing short, so to contact a friend and prove that there is no prerequisite or function to actually prevent the whole vehicle from taking over. She asked me to hack, and we raised her car on the management panel.
In addition to tracking the position, researchers can now start, stop, lock, and unlock Subaru cars connected to Starlink. According to them, Curry’s mother had never received a notification that he had added himself as a permitted user and did not receive a warning when he unlocked the car.
You can also query and get the personal information of all customers, such as emergency contacts, permitted users, home addresses, the lower four digits of credit cards, and vehicle PIN. In addition, it was accessible to the owner’s support, the owner in front of the vehicle, the measured value of the mileage, and the sales history.
In a statement to Engadget, Subaru Communication Director Dominic Infante said, “Subaru of America has a starlink service vulnerability for Starlink service that may allow third -party access to Starlink account. The Subaru was notified on the same day, and the Subaru cars and customer data were not allowed. I was able to access the two accounts owned.
Subaru also emphasized that its cars could not be remotely controlled and that they did not sell location data. He also stated that only a specific employee could access the driver’s position data based on the relevance to his duties.
Security researchers have stated that tracking and security obstacles due to one employee accessed “large amounts of personal information” are not limited to Subaru. WIRED pointed out in a previous study by Curry and Shar that a similar defect that influenced vehicles such as Acura, Genesis, Honda, Hyundai, Infinity, Kia Motor, and Toyota had been exposed.
They believe that there are serious concerns about the position tracking of the industry and the lack of security measures. “The automotive industry is unique in that 18 -year -old employees from Texas can query information for automobiles in California, but they do not actually sound an alarm,” said Curry. “It’s a part of their normal daily work. All employees can access a large amount of personal information and they are all dependent on trust. If this extensive access is incorporated into the system by default. It is very difficult to actually protect these systems. “
The full text of the researcher’s report is worth reading.
January 24, 2025: 1:07 pm (Eastern Standard Time) Updated: This story was updated to add a statement from Subaru.
