Subaru left open a security flaw that, although fixed, exposes many privacy problems with modern cars. Security researchers Sam Curry and Shubham Shah reported their conclusions(by using Wired) about an easily hacked employee web portal. Once granted access, they were able to remotely control the test vehicle and view a year's worth of location data. They warn that Subaru is far from the only company with poor vehicle data security.
After security analysts notified Subaru, the company quickly patched the exploit. Fortunately, researchers say the system has not been breached by unethical hackers before. But they say authorized Subaru employees can still access owners' location history using just one piece of the following information: owner's last name, zip code, email address, phone number or license plate number.
Engadget emailed Subaru seeking comment, and we'll update this story if we hear back.
The hacked admin portal was part of Subaru's Starlink connectivity feature set. (no relation to SpaceX Satellite Internet Service eponymous.) Curry and Shah intervened by finding the Subaru Starlink employee's email address on LinkedIn and resetting the employee's password after bypassing two required security questions—because it was happening in the end user's web browser, not Subaru's servers. They also bypassed two-factor authentication by doing “the simplest thing we could think of: removing the client-side overlay from the user interface.”
While the researchers' tests were able to locate the test vehicle a year ago, they can't rule out the possibility that authorized Subaru employees could trace back even further. This is because the test car (2023) Subaru Impreza I bought Curry for my mother with the condition that he could hack it) it took about the same amount of time to use. The location data was also not generalized to any wide swath of land: it was accurate to less than 17 feet and was updated every time the engine was started.
“After searching and finding my own vehicle on the dashboard, I have confirmed that the Starlink admin panel should be able to access virtually any Subaru in the US, Canada and Japan,” Curry wrote. “We wanted to confirm that we hadn't missed anything, so we approached a friend and asked if we could break into her car to demonstrate that there were no prerequisites or features that would actually prevent the car from being taken over completely. She sent us her license plate number, we opened her car in the admin panel and finally added ourselves to her car.”
The admin portal not only tracked their location, but also allowed the researchers to remotely start, stop, lock and unlock any Subaru connected to Starlink. They said Curry's mother never received notification that they had added themselves as an authorized user and did not receive any alerts when they opened her car.
They could also request and obtain any customer's personal information, including their emergency contacts, authorized users, home address, the last four digits of their credit card and vehicle PIN. In addition, they were able to access the owner's customer service history, previous owners of the vehicle, odometer readings, and sales history.
Security researchers say the tracking and security failures stemming from a single employee's ability to access “tons of personal information” are unlikely to be unique to Subaru. Wired notes that previous work by Curry and Shah has identified similar deficiencies affecting vehicles from Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota and others.
The pair believe there are serious concerns about the industry's location tracking and poor security measures. “The auto industry is unique in that an 18-year-old employee in Texas can request payment information for a vehicle in California without raising any red flags,” Curry wrote. “It's part of their normal daily work. All employees have access to a lot of personal information, and it all comes down to trust. It seems really difficult to keep these systems secure when such broad access is built into the system by default.”
full report from the researchers worth reading.