About a year ago, security researcher Sam Curry bought his mother a Subaru, on the condition that, at some point in the near future, she let him hack it.
It took Curry until last November, when he was home for Thanksgiving, to begin examining the 2023 Impreza's Internet-connected features and start looking for ways to exploit them. Sure enough, he and a researcher working with him online, Shubham Shah, soon discovered vulnerabilities in a Subaru web portal that let them hijack the ability to unlock the car, honk its horn, and start its ignition, reassigning control of those features to any phone or computer they chose.
Most disturbing for Curry, though, was that they found they could also track the Subaru's location—not merely where it was at the moment but also where it had been for the entire year that his mother had owned it. The map of the car's whereabouts was so accurate and detailed, Curry says, that he was able to see her doctor visits, the homes of the friends she visited, even which exact parking space his mother parked in every time she went to church.
"You can retrieve at least a year's worth of location history for the car, where it's pinged precisely, sometimes multiple times a day," Curry says. "Whether somebody's cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone."
Curry and Shah today revealed in a blog post their method for hacking and tracking millions of Subarus, which they believe would have allowed hackers to target any of the company's vehicles equipped with its digital features known as Starlink in the US, Canada, or Japan. Vulnerabilities they found in a Subaru website intended for the company's staff allowed them to hijack an employee's account to both reassign control of cars' Starlink features and also access all the vehicle location data available to employees, including the car's location every time its engine started, as shown in their video below.
[...] Shah and Curry's research that led them to the discovery of Subaru's vulnerabilities began when they found that Curry's mother's Starlink app connected to the domain SubaruCS.com, which they realized was an administrative domain for employees. Scouring that site for security flaws, they found that they could reset employees' passwords simply by guessing their email address, which gave them the ability to take over any employee's account whose email they could find. The password reset functionality did ask for answers to two security questions, but they found that those answers were checked with code that ran locally in a user's browser, not on Subaru's server, allowing the safeguard to be easily bypassed. "There were really multiple systemic failures that led to this," Shah says.
[...] More unusual in Subaru's case, Curry and Shah say, is that they were able to access fine-grained, historical location data for Subarus going back at least a year. Subaru may in fact collect multiple years of location data, but Curry and Shah tested their technique only on Curry's mother, who had owned her Subaru for about a year.
Curry argues that Subaru's extensive location tracking is a particularly disturbing demonstration of the car industry's lack of privacy safeguards around its growing collection of personal data on drivers. "It's kind of bonkers," he says. "There's an expectation that a Google employee isn't going to be able to just go through your emails in Gmail, but there's literally a button on Subaru's admin panel that lets an employee view location history."
[...] "While we worried that our doorbells and watches that connect to the Internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines," Mozilla's report reads.
Curry and Shah's discovery of Subaru's security vulnerabilities in its tracking demonstrate a particularly egregious exposure of that data—but also a privacy problem that's hardly less disturbing now that the vulnerabilities are patched, says Robert Herrell, the executive director of the Consumer Federation of California, which has sought to create legislation for limiting a car's data tracking.
"It seems like there are a bunch of employees at Subaru that have a scary amount of detailed information," Herrell says. "People are being tracked in ways that they have no idea are happening."
(Score: 3, Touché) by Frosty Piss on Wednesday January 29, @11:20PM (5 children)
This is not "earth shaking" that a car that can be unlocked with a fob or an app can be hacked, I'm really not seeing much that is "earth shaking". Now, can it be remotely unlocked, started, and driven freely by a hack? Sure, the location data is troublesome, but if LE want's it, they can get it anyway, and CCTV already knows where my drug dealer and my mistress live. And, how does Elon feel about Subaru using the Starlink trademark for their "all seeing eye"? One doesn't want to piss off President Musk...
(Score: 5, Informative) by kolie on Thursday January 30, @12:19AM (4 children)
I don't think you understand what was reported in this.
This guy took over a website, by finding an employees email, calling a public endpoint to reset an account password, by specifying the current email and new password only, and then logged into the APP, which showed 2FA to login, but which was literally just an html cover over the already logged in credential which he just edited the display html to hide.
From that portal, every subaru with starlink was accessible to him, its location, its owner information, all the commands to open, unlock, start, and the location history for atleast ayear.
Forget hacking the fob - this is a real wtf - and fucking nuts on so many levels.
(Score: 3, Touché) by mhajicek on Thursday January 30, @06:14AM (3 children)
My dad pulled the fuse for the modem on his.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 3, Insightful) by Freeman on Thursday January 30, @02:46PM (2 children)
The sad fact where disabling features on a vehicle make it more safe / secure.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by DannyB on Thursday January 30, @04:24PM (1 child)
Someday in the future, scientists and engineers will invent a way to build automobiles that don't require microprocessors.
Stop asking "How stupid can you be?" Some people apparently take it as a challenge.
(Score: 4, Touché) by epitaxial on Thursday January 30, @09:20PM
Nothing wrong with microprocessors. Giving them an IP stack is the problem.
(Score: 2, Interesting) by Anonymous Coward on Wednesday January 29, @11:52PM
Our 2014 Subaru Impreza is the last model before the flat screen and Starlink. So I think we don't have all these bugs (which Subaru may claim are features). I'm perfectly happy with the select-able info display (miles to empty, mpg, time, temperature, etc).
Reference: https://www.impreza5.com/threads/adding-starlink-apps.3289/ [impreza5.com]