Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Carey and Shah reported their findings to Subaru in late November, and Subaru quickly patched Starlink’s security flaws. But researchers warn that Subaru’s web vulnerabilities are the latest in a long line of similar web-based flaws discovered by other security researchers they work with that have affected more than a dozen automakers, including Acura, Genesis, Honda and Hyundai. Infiniti, Kia, Toyota and many more. They say there’s no doubt there are similar serious, hackable bugs in other auto companies’ web tools that have yet to be discovered.
In the case of Subaru, in particular, they also point out that their discovery points to the extent to which those with access to Subaru’s portal are tracking the movements of its customers, a privacy issue that will persist much longer than the web vulnerabilities they uncovered. “The thing is, even though this has been corrected, this job will still exist for Subaru employees,” Carey says. “It’s just a regular function where an employee can pull up a year’s worth of your location history.”
When WIRED reached out to Subaru for comment on Curry and Shah’s findings, a spokesperson responded in a statement that “after notifying independent security researchers, (Subaru) discovered a security vulnerability in its Starlink service that potentially allowed a third party to access Starlink accounts.” The vulnerability was closed immediately and no customer information was accessed without permission.
A Subaru spokesperson also confirmed to WIRED that “there are employees at Subaru of America who, depending on their job suitability, have access to location data.” The company provided as an example that employees have this access to share a vehicle’s location with first responders in a Subaru statement. “All of these individuals receive appropriate training and are required to sign appropriate privacy and security agreements and non-disclosure agreements as needed,” Subaru’s statement added. Evolving to meet modern cyber threats.
In response to Subaru’s example of notifying first responders about a collision, Curry points out that this does not require a location history for about a year. The company did not respond to WIRED’s question about how long it keeps records of customer locations and makes them available to employees.
Shah and Carrie’s research that led them to discover Subaru’s vulnerabilities began when they discovered that Carrie’s mother’s Starlink app connected to the domain SubaruCS.com, which they realized was an employee administrative domain. By searching this site for security flaws, they found that they could reset employees’ passwords simply by guessing their email address, which gave them the ability to take control of the account of any employee whose email they could find. The password reset function requested answers to two security questions, but they found that these answers were verified using code that ran locally in the user’s browser, rather than on Subaru’s server, allowing the protection to be easily bypassed. “There were actually multiple systemic failures that led to this,” Shah says.
The two researchers say they found a Subaru Starlink developer’s email address on LinkedIn, took over the employee’s account, and immediately found they could use the employee’s access to search for any Subaru owner by last name, zip code, email address and phone. number or license plate to access their Starlink configurations. In seconds, they can then reassign control of that user’s vehicle’s Starlink features, including the ability to remotely unlock the vehicle, sound the horn, start the ignition, or locate it, as shown in the video below.
