Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Curry and Shah reported their findings to Subaru in late November, and Subaru quickly addressed its Starlink security flaws. But the researchers cautioned that the Subaru Web vulnerabilities are the latest in a long series of similar Web-based flaws that they and other security researchers working with have found affecting more than a dozen automakers, including Acura, Genesis, Honda, Hyundai. , Infiniti, Kia, Toyota, and many more. There is little doubt, they say, that similarly serious hackable bugs exist in other auto companies’ web tools that have yet to be discovered.
In the case of Subaru, in particular, they also point out that their discovery indicates how widely those with access to Subaru’s portal can track customers’ movements, a privacy problem that will outlast the web vulnerability that exposed it. “The thing is, even though it’s patched, this functionality will still exist for Subaru employees,” Curry said. “It’s normal practice that an employee can pick up a year’s worth of your location history.”
When WIRED reached out to Subaru for comment on Curry and Shah’s findings, a spokesperson responded with a statement that “After being notified by independent security researchers, (Subaru) discovered a vulnerability in its StarLink service that could potentially allow third parties to access StarLink. . The account vulnerability was immediately closed and no customer information was accessed without authorization.”
A Subaru spokesperson confirmed to Wired that “there are employees at Subaru of America, based on the relevance of their work, who can access location data.” The company proposed as an example that employees have access to share a vehicle’s location with first responders. When a collision is detected “all these individuals receive appropriate training and are required to sign appropriate confidentiality, security and NDA agreements as required,” Subaru’s statement added. “These systems include security monitoring solutions that are constantly evolving to address modern cyber threats.”
Responding to Subaru’s example of notifying first responders of collisions, Curry notes that a year’s worth of location history will rarely be required. The company did not respond to Wired about how far it keeps customers’ location histories and makes them available to employees.
Shah and Curry’s research led them to discover Subaru’s vulnerability when they found Curry’s mother’s StarLink app connected to the SubaruCS.com domain, which they realized was an administrative domain for employees. By scrubbing that site for security flaws, they found they could reset employees’ passwords by simply guessing their email addresses, which gave them the power to take over any employee’s account whose email they could find. The password reset functionality asked for answers to two security questions, but they found that those answers were checked with a code that ran locally in the user’s browser, not on Subaru’s servers, so the security could be easily bypassed. “There were really multiple systemic failures that led to this,” Shah said.
Two researchers said they found a Subaru StarLink developer’s email address on LinkedIn, took over the employee’s account and immediately found they could use that employee access to find any Subaru owner by last name, zip code, email address, phone . number, or license plate to access their Starlink configuration. Within seconds, they can reassign control of that user’s car’s Starlink features, including the ability to remotely unlock the car, sound its horn, start its ignition or locate it, as shown in the video below.
