Source URL: https://samcurry.net/hacking-subaru
Source: Hacker News
Title: Hacking Subaru: Tracking and Controlling Cars via the Starlink Admin Panel
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text highlights a critical security vulnerability discovered in Subaru’s STARLINK vehicle service, allowing unauthorized access to vehicles and sensitive customer data. This incident underscores the need for stringent security measures in connected vehicle systems to prevent unauthorized access and ensure the protection of personally identifiable information (PII).
Detailed Description:
The text provides a detailed account of a security vulnerability found in the Subaru STARLINK service, revealing severe implications for user privacy and vehicle security:
– **Vulnerability Overview**:
– The vulnerability granted unrestricted access to all STARLINK-connected vehicles and customer accounts across the U.S., Canada, and Japan.
– An attacker could remotely manipulate vehicle functions and retrieve sensitive user data using only minimal information, such as a last name and ZIP code.
– **Impact on Users**:
– The attack vector included the ability to:
– Remotely start, stop, lock, or unlock vehicles.
– Access a complete year’s location history with 5-meter accuracy.
– Retrieve PII including emergency contacts, authorized user details, and billing information.
– Access support call history and odometer readings.
– **Vulnerability Discovery**:
– The vulnerabilities were discovered while testing the MySubaru Mobile App and further probing into employee-facing applications.
– A significant flaw was identified in the employee login and password reset functionalities, allowing account takeovers without proper authentication checks.
– **Exploit Methodology**:
– The authors proceeded to enumerate employee emails by querying the security question API, which led them to successfully reset an employee’s password.
– A lack of proper access controls and two-factor authentication (2FA) allowed the authors to bypass security and gain full administrative access.
– **Consequences and Response**:
– The authors demonstrated the exploit, showing that they could track vehicle locations, unlock cars, and access sensitive user data without any prior consent from the vehicle owners.
– After reporting the vulnerability, Subaru took quick action and patched the vulnerability within 24 hours, indicating a proactive security response.
– **Key Insights for Security Professionals**:
– This incident highlights the high risks associated with connected vehicle technologies where extensive access is often granted to employees without appropriate checks.
– It calls for organizations to evaluate and potentially implement stricter access controls, robust authentication measures, and continuous monitoring of sensitive functionalities to protect against similar vulnerabilities.
In conclusion, this case study serves as a critical reminder of the security challenges facing the automotive industry, particularly as vehicles become increasingly connected to the digital ecosystem, necessitating a reevaluation of security practices and protocols.