Curry and Shah reported their findings to Subaru in late November, and Subaru quickly addressed the Starlink security flaw. But researchers warn that Subaru’s web vulnerability is just the latest in a long series of similar web-based flaws and other security researchers working with him have found that more than a dozen automakers are affected, including Acura, Genesis, Honda, Hyundai. , Infiniti, Kia, Toyota, and more. There is no doubt, he said, that similar hackable bugs exist in other car companies’ web tools that have yet to be discovered. portals can track the movements of customers, a privacy issue that will outlast the vulnerabilities of the open web. “That said, even if it’s patched, this functionality will still be there for Subaru employees,” Curry said. “It’s just a normal function that an employee can pull up your location history for a year.” When WIRED contacted Subaru for comment on Curry and Shah’s findings, a spokesperson responded in a statement that “after being notified by an independent security researcher, [Subaru] discovered vulnerabilities in Starlink services that could allow third parties to access Starlink accounts. The vulnerability was closed immediately and no customer information could be accessed without permission. For example, employees have access to share the vehicle’s location with first responders in the event that a collision is detected. continues to evolve to address modern cyber threats.” In response to the example of Subaru notifying first responders of collisions, Curry noted that it does not require location history. Shah and Curry’s research that led them to discover the Subaru Vulnerability began when they discovered that Curry’s mother’s Starlink application was connected to the SubaruCS.com domain, which they knew was an administrative domain for employees. Searching the site for security flaws, he discovered that it was possible to reset an employee’s password just by guessing their email address, which gave them the ability to retrieve employee accounts whose emails could be found. The password reset function asked for answers to two security questions, but he found that the answers were checked with code running locally in the user’s browser, not on Subaru’s servers, so the protection was easily bypassed. “There are a lot of systemic failures that lead to this,” Shah said. The two researchers said they found an email address for a Subaru Starlink developer on LinkedIn, took over an employee’s account, and immediately discovered they could use the staff’s access to search for Subaru owners by last name, zip code, email address, phone number, or license plate. to access the Starlink configuration. In seconds, they can reconfigure Starlink feature controls in that user’s vehicle, including the ability to remotely unlock the car, honk the horn, start the ignition, or locate it, as shown in the video below.
