Subaru’s Security Breach Highlights Vulnerabilities in Automotive Data Protection

A recent security discovery by researchers Sam Curry and Shubham Shah has brought to light significant privacy concerns within modern vehicles, underscoring the exposure of personal data due to inadequate security measures. The duo reported their findings through Wired, revealing a vulnerable employee web portal at Subaru.

Upon exploiting this security flaw, Curry and Shah were able to remotely control a test vehicle and access a year’s worth of geolocation data. Their findings serve as a cautionary tale, indicating that Subaru is not alone in facing security challenges regarding vehicle data.

After being informed of the exploit, Subaru acted swiftly to patch the vulnerability. Fortunately, the researchers noted that no malicious hackers had taken advantage of the flaw prior to the patch. However, concerns still linger, as Subaru employees retain the ability to access vehicle owners’ location histories using only minimal identifiable information such as the owner’s last name, zip code, email address, phone number, or license plate.

While awaiting Subaru’s commentary on the issue, as Engadget reached out for a response, the gravity of the situation remains. The compromised admin portal is associated with Subaru’s Starlink connectivity features, which is unrelated to the SpaceX satellite service of the same name. The vulnerability was exploited by obtaining an email address of a Subaru employee via LinkedIn, enabling the researchers to reset the password by overcoming two security questions. This breach highlighted a significant weakness, as it occurred within the end user’s browser, thus bypassing Subaru’s own servers, and even allowed them to sidestep two-factor authentication.

The researchers managed to trace location data from the test vehicle back to one year but were unable to ascertain if authorized personnel could access information beyond this timeline. The test vehicle, a 2023 Subaru Impreza, was relatively new and had not been in use for an extended period. Remarkably, the location details retrieved were accurate to within 17 feet, updated with each engine start.

Curry meticulously described the experience, noting that the Starlink admin interface seemed to grant access to nearly any Subaru vehicle across the United States, Canada, and Japan. To validate their findings, they conducted further tests, including hacking a friend’s vehicle, demonstrating that there were no preventative barriers in place against a complete vehicle takeover.

Beyond location tracking, the admin dashboard allowed the researchers to remotely start, stop, lock, and unlock any Subaru vehicle equipped with Starlink features. Alarmingly, there were no notifications sent to Curry’s mother, nor alerts when the vehicle was accessed without authorization.

The vulnerabilities extended further, allowing researchers to retrieve extensive personal information about any customer. They accessed details such as emergency contacts, home addresses, the last four digits of credit card numbers, the owner’s support call history, and even odometer readings along with sales history for individual vehicles.

Curry and Shah emphasize that such tracking and security lapses are not isolated incidents confined to Subaru. Previous revelations involving similar weaknesses have affected numerous automakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, and Toyota, as noted in Wired.

The researchers expressed their concerns about the overarching industry practices: “The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it won’t really set off any alarm bells,” Curry pointed out. “Employees have access to a vast amount of personal data, creating a system that relies heavily on internal trust. This broad access by design complicates the task of securing such systems effectively.”

For those interested in further details, the full report from the researchers is available for review.

Source
www.engadget.com

Subaru’s Inadequate Security Exposed Vast Amounts of Vehicle Data

Subaru’s Security Breach Highlights Vulnerabilities in Automotive Data Protection

PlayStation Plus May Monthly Games Feature Balatro and Ark: Survival Ascended

Trump Administration Claims Amazon is Collaborating with ‘Chinese Propaganda Entity’ Amid Tariff Discussions

Samsung Collaborates with GSMA to Default VoLTE on Galaxy Phones Featuring One UI 7

Sheryl Crow Reveals Armed Intruder Entered Her Property Following Tesla Sale

Michael Knowles: Trump’s Meme Coin Doesn’t Indicate the White House Is Up for Sale

Jimmy Fallon Pokes Fun at Trump’s Quotes on Bill Belichick’s Girlfriend Regarding Tariffs: ‘We’re Not Discussing This’

Breaking news

First-Person: Myanmar Aid Workers Confront Conflict and Adverse Conditions to Assist Earthquake Victims

Evason Appointed Canada Coach, with Flames’ Huska as Assistant for World Hockey Championship

Did Ibrahim Ali Khan Just ‘Confirm’ His Romance with Palak Tiwari Through THIS Heartwarming Gesture? | Watch Now

Trump Suggests Trade Policies Could Lead to Fewer, More Expensive Toys for Children

Vice President JD Vance Expresses Feeling ‘Highly Empowered’ by Trump

Norway Urges Britain: Stay Committed to Oil Investment

Pickard’s Strong Performance Boosts Oilers’ Confidence in First Round of NHL Playoffs – Edmonton