Subaru left open a huge safety failure that, although patching, exposes the innumerable privacy problems of modern vehicles. Security researchers Sam Curry and Shubham Shah reported Your findings (through cabling) On a web portal for easily pirated employees. After obtaining access, they could remotely control a test vehicle and see the location data of one year. They warn that Subaru is not the only one that has a lax security around vehicle data.
After security analysts notified Subaru, the company quickly patched the exploit. Fortunately, researchers say that little ethical computer pirates had not violated it before. But they say that Subaru authorized employees can still access the location history of the owners with only one piece of the following information: last name, postal code, email address, telephone number or registration of the owner.
The pirated administration portal was part of the set of Subaru Starlink connectivity functions. (Without relation to the SpaceX satellite Internet service of the same name). Curry and Shah entered when they found the email address of a Subaru Starlink employee on LinkedIn and restore the worker's password after ignoring two required security questions, because it took place in the end of the end user. Web browser, not Subaru servers. They also overlooked the authentication of two factors by “the simplest thing that occurred to us: eliminate the overlap of the customer interface client.”
Although researchers tests tracked the location of the test vehicle a year ago, they cannot rule out the possibility that Subaru authorized employees can sniff even further. This is because the trial car (a Subaru Impreza Curry 2023 that he bought for his mother on condition that he could hack it) had only been in use during that time. The location data were not generalized to a wide strip of earth: they had a precision of less than 17 feet and were updated every time the engine started.
“After searching and finding my own vehicle on the board, I confirmed that the Starlink administration panel should have access to virtually any sub -Uru in the United States, Canada and Japan,” Curry wrote. “We wanted to confirm that nothing was missing, so we communicated with a friend and asked if we could hack her car to demonstrate that there was no prerequisite or characteristic that had prevented the total acquisition of the vehicle. She sent us her tuition, we stopped her vehicle in the administration panel and finally added to her car. ”
In addition to tracking its location, the Administration Portal allowed researchers to start, stop, block and unlock any subaru vehicle connected to Starlink. They said that Curry's mother never received notifications that they had added as authorized users, nor received alerts when they unlocked their car.
They could also consult and recover personal information from any client, including their emergency contacts, authorized users, private address, the last four digits of their credit card and vehicle pin. In addition, they were able to access the owner's support history and previous owners of the vehicle, reading of the odometer and sales history.
In a statement to Engadget, Subaru Communications Director, Dominick Infante, wrote: “Subaru of America, Inc. was notified by independent security researchers of vulnerability in his Starlink service that had the potential to allow the access of third parties to Starlink accounts. Subaru solved the vulnerability that same day and any subaru vehicle or customer data without authorization was never accessed. Independent researchers were able to access two accounts belonging to a relative and a friend who gave them authorization to do so. ”
Subaru also emphasized that its cars cannot be driven remotely and that the company does not sell location data. He also said that only certain employees can access driver's location according to the relevance of the work.
Security researchers say that monitoring and security failures, derived from the ability of a single employee to access “a ton of personal information”, are not exclusive to Subaru. cabling He points out that the previous work of Curry and Shah presented similar failures that affect Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota and others vehicles.
The couple believes that there are reasons to seriously worry about the monitoring of the industry location and the poor security measures. “The automotive industry is unique in the sense that an 18 -year -old Texas employee can consult the billing information of a vehicle in California, and that will really not activate any alarm,” Curry wrote. “It is part of his normal daily work. All employees have access to a lot of personal information and everything is based on trust. It seems really difficult to protect these systems when such wide access is integrated into the system by default. ”
He Full reports of researchers It is worth reading.
Update, January 24, 2025, 1:07 PM ET: This story was updated to add a subaru statement.
(Tagstotranslate) News
