A hole was found in Subaru’s software that made it possible to remotely unlock, start and monitor millions of cars.

Cybersecurity researchers Sam Curry and Shubham Shah discovered vulnerabilities in Subaru’s Starlink infotainment system (not affiliated with SpaceX’s satellite provider) that could allow them to partially take over control of a car and monitor its movements.

Image source: subaru.com

Experts managed to hack the Starlink system through the Subaru web portal. By repeating their actions, a potential attacker gets the opportunity to open the car, sound the horn, start the engine, and also reassign these functions to any phone or PC. It was also discovered that the system has the ability to track the location of a Subaru car – not only where it is currently located, but also the history of its movements. The hack was carried out on the example of a car belonging to Mr. Curry’s mother – he saw in the system all her trips to the doctor, to visit friends, and even the parking space where she left the car when she came to church. The vulnerability discovered by experts was valid for Subaru Starlink systems in the USA, Canada and Japan.

Specialists have established the domain name of the resource through which remote control of vehicle functions is carried out. After studying this site, they found a way to gain administrative privileges: by picking up an employee’s email address, they reset his password. To do this, the system requested the answer to two security questions, but they were checked by a local script in the user’s browser, and not on the Subaru server, and it was not difficult to bypass such protection. On LinkedIn, they discovered the Subaru Starlink developer’s email, hacked into his admin portal account, and discovered that he had access to search for any Subaru owner by name, zip code, email address, phone number, or license plate number – finding the car they were looking for. , they were accessing the Starlink configuration.

Curry and Shah reported their findings to Subaru in late November, and the automaker quickly took action to patch the vulnerabilities. This solved the security problem, but left a privacy problem: even if potential attackers lost the ability to intercept vehicle control functions and read vehicle movement history, Subaru employees could still do all this. The company confirmed that its employees do have access to all these functions, but assured that they undergo proper training and sign non-disclosure agreements; in practice, they are supposedly given access to the car’s location in order to report it to first responders if the system detects an accident.

The fact that Subaru tracks the movements of its cars shows that there are no longer guarantees of privacy in the entire auto industry, Sam Curry points out. So, a Google employee is supposed to not be able to read the correspondence of Gmail users, and at Subaru, the history of vehicle movements is open to company employees. Earlier it became known that similar data on VW Group cars became publicly available due to the actions of Cariad, a member of the concern.