Curry and Shah reported their findings to Subaru in late November, and Subaru quickly struck down its StarLink security flaws. But the researchers caution that the Subaru website vulnerabilities are just the latest in a long line of similar web-based flaws they and other security researchers working with them have found that have affected well over a dozen automakers, including Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota, and many others. There’s little doubt, they say, that similarly serious hackable bugs exist in other auto companies’ online tools that have yet to be discovered.
In the case of Subaru, in particular, they also point out that their discovery hints at how narrowly those with access to Subaru’s portal can track their customers’ movements, a privacy issue that will last far longer than the network vulnerabilities that exposed it “The thing is, even though this is patched, this functionality will still exist for Subaru employees,” Curry says. “It’s just normal functionality that an employee can increase the annual value of your location history.”
When Wired reached out to Subaru for comment on Curry and Shah’s findings, a spokesperson responded in a statement that “after being notified by independent security researchers, [Subaru] discovered a vulnerability in its StarLink service that could potentially allow a third party to access StarLink accounts. The vulnerability was immediately closed and no customer information was ever accessed without authorization. “
The Subaru Spokesperson also confirmed to Wired that “there are employees at Subaru of America, based on The case when a collision is detected. to meet modern cyber threats.”
Responding to Subaru’s example of notifying first responders of a collision, Curry notes that would hardly require a year’s worth of space. The company did not respond to Wired asking how far back it stores customers’ location histories and makes them available to employees.
Shah and Curry’s research that led them to the discovery of Subaru’s vulnerabilities began when they found that Curry’s StarLink mother linked to the subarucs.com domain, which they noticed was an administrative domain for employees. Watching that site for security flaws, they found they could reset employees’ passwords simply by guessing their email address, which gave them the ability to take over the account of any employee whose email they could find. The password reset functionality asked for answers to two security questions, but they found that those answers were verified by code that ran locally in a user’s browser, not on Subaru’s server, allowing the security to be easily bypassed. “There were really multiple system failures that led to this,” Shah says.
The two researchers say they found the email address for a Subaru Starlink developer on LinkedIn, took over the employee’s account, and immediately found they could use that staff access to search for any Subaru owner by last name, zip code, email address, phone number, or license to access their StarLink settings. In seconds, they could then reassign control of the StarLink features of that user’s vehicle, including the ability to remotely unlock the car, honk its horn, start its ignition, or locate it, as the video below shows.
