As the automotive sector becomes increasingly advanced and interconnected, the risks associated with security weaknesses are on the rise. A recent report highlights how exposed connected vehicles can be.
Discovery of Vulnerabilities
A security researcher named Sam Curry has shared a blog post explaining how he and a partner, Shubham Shah, managed to breach the Starlink software system utilized by Subaru vehicles. Starlink is responsible for the infotainment system in Subaru cars, providing functionalities like remotely locking or unlocking the car and even starting it from a distance.
Curry noted that a flaw in the Subaru employee login page for the Starlink system enabled him to discover a valid employee email, reset the employee’s password, and bypass any two-factor authentication measures to access the system.
Accessing Sensitive Information
Upon gaining entry into the Starlink system, Curry found he could track any registered Subaru vehicle using various identifiers: customer name, phone number, email address, or vehicle identification number (VIN). (It’s important to mention that VINs are easily obtainable through a license plate.) After locating a vehicle, a wealth of information was available for the taking, including billing details, emergency contacts, and much more.
The personal data was not only accessible but also included the vehicle’s location history for the past year, which, according to Curry, was straightforward to download and visualize. This data comprised time stamps, the car’s odometer reading, and GPS coordinates with a precision of about 15 feet or 5 meters.
Alarming Control Capabilities
What’s particularly concerning is that Curry was able to find a friend’s car within the database and add his own credentials as an authorized Starlink user for that vehicle. Once granted access, he could control the vehicle remotely, unlocking and locking it, starting it from afar, and pinpointing its location. The original Starlink user received no alerts about the new user being added to their vehicle’s Starlink account.
Fortunately, Subaru seems to have addressed the security flaw, which was identified by Curry in November 2024. The automaker acted commendably, deploying a patch within 24 hours of Curry’s report. This incident underscores the reality that, despite the intelligence of our vehicles, they remain susceptible to thieves and other malicious entities.
Source:
Link
Leave a Reply