Subaru’s poor security left troves of vehicle data easily accessible

Subaru left open a gaping security flaw that, although patched, lays bare modern vehicles’ myriad privacy issues. Security researchers Sam Curry and Shubham Shah reported their findings (via Wired) about an easily hacked employee web portal. After gaining access, they were able to remotely control a test vehicle and view a year’s worth of location data. They warn that Subaru is far from alone in having lax security around vehicle data.

After the security analysts notified Subaru, the company quickly patched the exploit. Fortunately, the researchers say less-than-ethical hackers hadn’t breached it before then. But they say authorized Subaru employees can still access owners’ location history with only a single piece of the following information: the owner’s last name, zip code, email address, phone number or license plate.

Engadget emailed Subaru for comment, and we’ll update this story if we hear back.

The hacked admin portal was part of Subaru’s Starlink suite of connectivity features. (No relation to the SpaceX satellite internet service of the same name.) Curry and Shah got in by finding a Subaru Starlink employee’s email address on LinkedIn and resetting the worker’s password after bypassing two required security questions — because it took place in the end user’s web browser, not Subaru’s servers. They also bypassed two-factor authentication by doing “the simplest thing that we could think of: removing the client-side overlay from the UI.”

Although the researchers’ tests traced the test vehicle’s location back one year, they can’t rule out the possibility that authorized Subaru employees can snoop back even farther. That’s because the test car (a 2023 Subaru Impreza Curry bought for his mother on the condition that he could hack it) had only been in use for about that long. The location data wasn’t generalized to some broad swath of land, either: It was accurate to less than 17 feet and updated each time the engine started.

“After searching and finding my own vehicle in the dashboard, I confirmed that the Starlink admin dashboard should have access to pretty much any Subaru in the United States, Canada, and Japan,” Curry wrote. “We wanted to confirm that there was nothing we were missing, so we reached out to a friend and asked if we could hack her car to demonstrate that there was no pre-requisite or feature which would’ve actually prevented a full vehicle takeover. She sent us her license plate, we pulled up her vehicle in the admin panel, then finally we added ourselves to her car.”

In addition to tracking their location, the admin portal allowed the researchers to remotely start, stop, lock and unlock any Starlink-connected Subaru vehicle. They said Curry’s mother never received notifications that they had added themselves as authorized users, nor did she receive alerts when they unlocked her car.

They could also query and retrieve personal information for any customer, including their emergency contacts, authorized users, home address, the last four digits of their credit card and vehicle PIN. In addition, they were able to access the owner’s support call history and the vehicle’s previous owners, odometer reading and sales history.

The security researchers say the tracking and security failures — stemming from the ability of a single employee to access “a ton of personal information” — are hardly unique to Subaru. Wired notes that Curry and Shah’s previous work exposed similar flaws affecting vehicles from Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota and others.

The pair believes there’s reason for serious concern about the industry’s location tracking and poor security measures. “The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it won’t really set off any alarm bells,” Curry wrote. “It’s part of their normal day-to-day job. The employees all have access to a ton of personal information, and the whole thing relies on trust. It seems really hard to really secure these systems when such broad access is built into the system by default.”

The researchers’ full report is worth a read.

This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/subarus-poor-security-left-troves-of-vehicle-data-easily-accessible-182514123.html?src=rss https://www.engadget.com/cybersecurity/subarus-poor-security-left-troves-of-vehicle-data-easily-accessible-182514123.html?src=rss