Slashdot: Software Flaw Exposes Millions of Subarus, Rivers of Driver Data

Jan 28, 2025

—

Source URL: https://yro.slashdot.org/story/25/01/28/0013226/software-flaw-exposes-millions-of-subarus-rivers-of-driver-data?utm_source=rss1.0mainlinkanon&utm_medium=feed
Source: Slashdot
Title: Software Flaw Exposes Millions of Subarus, Rivers of Driver Data

Feedly Summary:

AI Summary and Description: Yes

Summary: The report highlights significant vulnerabilities in Subaru’s STARLINK telematics software, which permitted unauthorized access to numerous vehicles through easily accessible data. This case underscores ongoing security concerns in connected vehicle technologies, analogous to similar issues in the automotive industry.

Detailed Description: The vulnerabilities identified in Subaru’s STARLINK telematics service present major security implications for the automotive sector, especially as vehicles become increasingly connected and reliant on software. Here are the key points:

– **Vulnerability Discovery**: Independent security researchers were able to exploit vulnerabilities in the STARLINK telematics system, enabling them to remotely access and control several Subaru vehicles across multiple countries.
– **Access Method**: The researchers used simple information such as license plate numbers and personal details (email addresses, zip codes, phone numbers) to gain access to vehicles, illustrating a severe gap in data protection and authentication layers.
– **Experimentation**: One of the researchers, Sam Curry, demonstrated the access gained by downloading location data for a vehicle owned by his mother and remotely using functions like locking and unlocking doors.
– **Comparative Cases**: The nature of this vulnerability is similar to previously documented security flaws in the automotive sector, particularly a report detailing flaws in KIA’s web-based applications that also resulted in unauthorized control over vehicles and theft of personal data.
– **Structural Security Issues**: The findings indicate that the connected vehicle infrastructure designed for dealer and employee access suffers from inadequate security measures, particularly around account creation and authentication, representing a systemic risk in the industry.

The incident calls attention to the essential need for robust cybersecurity frameworks within the automotive industry, as connected vehicles become more prevalent. Security professionals must engage in proactive risk assessments and implement stringent security measures to protect consumer data and vehicle integrity.

01 1 2 3 5 a access Act AI and Application applications Arch art as assessment authentication authentication layers Auto automotive automotive industry automotive sector AWS based based applications by C CIA code concerns connected vehicle connected vehicles consumer data control core creation cross cyber Cybersecurity cybersecurity framework cybersecurity frameworks D data Data Protection de demo design document DoT e email email addresses employee access end exp experimentation exploit for framework frameworks g Gen Go gs high Highlight HR http HTTPS implications in incident industry information infrastructure infrastructure design integrity J k Kia l law led Link location data Mila multi no non o of on one ory over personal data point pre proactive professionals R rate RCE report research researchers Risk Risk Assessment risk assessments Ro s search sec security security concerns Security Flaw security flaws security framework security frameworks security implications security issues security measure security measures security professionals Security Research Security Researcher security researchers service Sig Sim Simple software software flaw source SSE Starlink Subaru system systemic risk T Tails tech technologies telematics telematics software the theft to Tor TP trie unauthorized access US use uth V val vulnerabilities vulnerability vulnerability discovery web web-based application Wi x