Subaru owners may need to buckle up for what they are about to read.
A pair of security researchers have discovered a now-patched vulnerability that would have granted hackers unrestricted access to vehicles and customer accounts in the US, Canada, and Japan.
The vulnerability, which was discovered by Sam Curry and Shubham Shah, was found in Subaru’s STARLINK In-Vehicle Technology, the Japanese carmaker’s in-vehicle infotainment system (unrelated to Elon Musk’s Starlink service), in November of last year. As detailed on a January blog post on Curry’s personal website, the two researchers were able to leverage flaws in Subaru’s STARLINK Admin Portal that allowed them to reset an employee account without a confirmation token and easily bypass two-factor authentication in order to take over an active account. With this access, they were able to perform search functions and discreetly become an authorized user to a friend’s vehicle.
By leveraging the vulnerability, a hacker with intel on a victim’s last name and zip code, email, phone number, or license plate would have been able to do a good deal of activities, including remotely starting and stopping a targeted vehicle, gaining access to a year’s worth of the vehicle’s location history, and obtaining certain personally identifiable information.
The researchers said that the vulnerability was never exploited maliciously and was patched within 24 hours after it was reported to Subaru.
Malicious car enthusiasts. It seems like these days, malicious actors aren’t giving auto manufacturers a…brake. About a week before Curry posted his findings, security researchers from Kaspersky detailed their findings of a number of vulnerabilities discovered in the first generation of Mercedes-Benz’s infotainment system, Mercedes-Benz User Experience. Meanwhile, Trend Micro’s Zero Day Initiative unearthed half a dozen vulnerabilities associated with Mazda’s own in-vehicle infotainment system, Mazda Connect Connectivity Master Unit, that could be used to execute “a complete and persistent compromise” of its system in November of last year.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
ForAllSecure CEO David Brumley told IT Brew at last year’s RSA Conference that the in-vehicle computers that provide entertainment and information to drivers and passengers is one of the top ways malicious actors can invade a system.
“What continues to surprise me is how little thought is put into these systems,” he said in June.
Curry, in his blog post, called out the automotive industry—a recurring focus of vulnerability discovery for him—for its fragile processes.
“The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it won’t really set off any alarm bells…The employees all have access to a ton of personal information, and the whole thing relies on trust,” Curry wrote. “It seems really hard to really secure these systems when such broad access is built into the system by default.”