Software Flaw Exposes Millions of Subarus, Rivers of Driver Data (securityledger.com) 46
chicksdaddy share a report from the Security Ledger: Vulnerabilities in Subaru's STARLINK telematics software enabled two, independent security researchers to gain unrestricted access to millions of Subaru vehicles deployed in the U.S., Canada and Japan. In a report published Thursday researchers Sam Curry and Shubham Shah revealed a now-patched flaw in Subaru's STARLINK connected vehicle service that allowed them to remotely control Subarus and access vehicle location information and driver data with nothing more than the vehicle's license plate number, or easily accessible information like the vehicle owner's email address, zip code and phone number. (Note: Subaru STARLINK is not to be confused with the Starlink satellite-based high speed Internet service.)
[Curry and Shah downloaded a year's worth of vehicle location data for Curry's mother's 2023 Impreza (Curry bought her the car with the understanding that she'd let him hack it.) The two researchers also added themselves to a friend's STARLINK account without any notification to the owner and used that access to remotely lock and unlock the friend's Subaru.] The details of Curry and Shah's hack of the STARLINK telematics system bears a strong resemblance to hacks documented in his 2023 report Web Hackers versus the Auto Industry as well as a September, 2024 discovery of a remote access flaw in web-based applications used by KIA automotive dealers that also gave remote attackers the ability to steal owners' personal information and take control of their KIA vehicle. In each case, Curry and his fellow researchers uncovered publicly accessible connected vehicle infrastructure intended for use by [employees and dealers was found to be trivially vulnerable to compromise and lack even basic protections around account creation and authentication].
[Curry and Shah downloaded a year's worth of vehicle location data for Curry's mother's 2023 Impreza (Curry bought her the car with the understanding that she'd let him hack it.) The two researchers also added themselves to a friend's STARLINK account without any notification to the owner and used that access to remotely lock and unlock the friend's Subaru.] The details of Curry and Shah's hack of the STARLINK telematics system bears a strong resemblance to hacks documented in his 2023 report Web Hackers versus the Auto Industry as well as a September, 2024 discovery of a remote access flaw in web-based applications used by KIA automotive dealers that also gave remote attackers the ability to steal owners' personal information and take control of their KIA vehicle. In each case, Curry and his fellow researchers uncovered publicly accessible connected vehicle infrastructure intended for use by [employees and dealers was found to be trivially vulnerable to compromise and lack even basic protections around account creation and authentication].
Well now (Score:3)
I guess this explains the email I got from Subaru a month or two back, telling me there was a "Starlink update" available. It didn't mention any security patches, though.
Re: (Score:2)
I guess this explains the email I got from Subaru a month or two back, telling me there was a "Starlink update" available. It didn't mention any security patches, though.
They can't be letting you know how utterly incompetent they are. They could lose some of their precious money to justified litigation.
Re: (Score:3)
No it doesn't explain that. There was no issue with the app or the car, or even your account or the way you access it. The issue was in an online portal that exploits Subaru employee accounts. Unless you're a Subaru employee this has nothing to do with you or any way you use your car or its connected services.
Security and safety (Score:2)
Sounds like an FTC complaint waiting to happen.
"In each case, Curry and his fellow researchers uncovered publicly accessible connected vehicle infrastructure intended for use by [employees and dealers was found to be trivially vulnerable to compromise and lack even basic protections around account creation and authentication]."
"STARLINK Safety and Security helps keep you and your Subaru safe whether youâ(TM)re in your vehicle, at your computer, or on your mobile device."
Re:Security and safety (Score:5, Informative)
A complaint about the immediate response of Subaru, fixing the flaw the day after being notified about it?
Timeline
11/20/24 11:54 PM CST: Initial report sent to SecOps email
11/21/24 7:40 AM CST: Initial response from Subaru team
11/21/24 4:00 PM CST: Vulnerability fixed, unable to reproduce
01/23/25 6:00 AM CST: Blog post released
They fixed it before the end of the business day.
This wasn't a flaw in any code running in any vehicle, it was a poorly built password reset function on a Subaru employee portal.
The researchers couldn't find anything wrong with the mobile app
Re: (Score:2, Troll)
A complaint about the immediate response of Subaru, fixing the flaw the day after being notified about it?
"trivially vulnerable to compromise and lack even basic protections around account creation and authentication" ABSOLUTELY.
This wasn't a flaw in any code running in any vehicle
So what? This was not an innocent coding error. It was an intentional design choice.
"Curry came across a file, login.js that showed what appeared to be an endpoint, resetPasswor.json, that could reset any Subaru employeeâ(TM)s account password with nothing more than a valid employee email, and without requiring a confirmation token. "
"After uncovering the non-public applications
Re: (Score:3)
Mistakes happen. They probably outsourced that application to an incompetent third party. Most automotive industry software is. Lesson learned. Maybe they'll hire pen testers for their next project. Maybe they already do, but this was their first ever foray into internet accessible back-end systems.
Appropriate responses to mistakes are more important than the impossible task of producing perfect code.
Re: (Score:1)
Mistakes happen. They probably outsourced that application to an incompetent third party.
Most automotive industry software is. Lesson learned. Maybe they'll hire pen testers for their next project. Maybe they already do, but this was their first ever foray into internet accessible back-end systems.
Appropriate responses to mistakes are more important than the impossible task of producing perfect code.
Nobody is talking about perfect code neither is designing a password reset program without any authentication a "mistake" ... a mistake would be the authentication procedure existing yet being faulty and exploitable in some way. Not having one at all is a design decision that goes well beyond simple coding error.
Re: (Score:2)
Ok expert.
Thanks for your redefinition of the english language.
Re: (Score:3)
Mistakes happen. They probably outsourced that application to an incompetent third party. Most automotive industry software is. Lesson learned. Maybe they'll hire pen testers for their next project. Maybe they already do, but this was their first ever foray into internet accessible back-end systems.
Appropriate responses to mistakes are more important than the impossible task of producing perfect code.
Nobody is talking about perfect code neither is designing a password reset program without any authentication a "mistake" ... a mistake would be the authentication procedure existing yet being faulty and exploitable in some way. Not having one at all is a design decision that goes well beyond simple coding error..
Re: (Score:2)
You really need to calm down, and not post almost exactly the same thing twice, a few hours apart.
Re: (Score:2)
So what? This was not an innocent coding error. It was an intentional design choice.
So coding errors are okay and "trivial" but design errors can't be? I really am struggling why you think there's a distinction between trivial mistakes, especially ones fixed so quickly.
But sure you better report them to the manager Karen.
New Privacy Policy Today - Give us your Data (Score:5, Informative)
Subaru just pushed out a new version of their app that contains a privacy policy that explicitly allows them to harvest the data and sell it to 3rd party companies. So, if you want to use the features of the vehicle that Subaru sold you on, you must give up your right to privacy and allow Subaru to profit from your personal information.
Re: (Score:2)
Subaru just pushed out a new version of their app that contains a privacy policy that explicitly allows them to harvest the data and sell it to 3rd party companies. So, if you want to use the features of the vehicle that Subaru sold you on, you must give up your right to privacy and allow Subaru to profit from your personal information.
I've been a big fan of Subaru vehicles over the years, but the news in the last 5 years or so of their egregious data-harvesting is a huge turn-off, as is the lack of physical controls in their central consoles. Perhaps I'll break the Subaru tradition I've sort of bought into.
Are any features in the app considered "must-have"s?
Re:New Privacy Policy Today - Give us your Data (Score:5, Insightful)
Good luck finding another car connected to the internet that won't harvest your data. I imagine you'll have zero sucess.
Re: (Score:3)
Wow, cars embraced enshittification too.
What years is the "cut-off" for cars that respect your data?
Re: (Score:2)
There is no one year, that's a ridiculous idea. It's not like one day the regulatory landscape changed to permit this. It always permitted it, and the cost of the tech was what held it back, and different automakers decided it was worth it at different times.
It was earlier for GM than almost anyone due to OnStar. It was earlier for Subaru than any other Japanese automaker because, amusingly, also OnStar. They have their own "services" now.
Re: (Score:3)
Wow, cars embraced enshittification too.
What years is the "cut-off" for cars that respect your data?
2013 seems to be a fairly common year after which cars started getting much more egregious about their connectedness. Specific brands went further faster, of course, but back then it was mostly just OnStar for GM vehicles, which you couldn't fully disable but which didn't direct report every little thing if you didn't subscribe. I have a 2013 Nissan which is pretty disconnected. And a 2013 Chevy which only has the OnStar system, but it's never had a subscription. I'm doing everything I can to keep those thi
Re: (Score:3)
Look at Open Vehicle Monitoring System. Open source, you control it and the data. Decline your car's EULA and/or disconnect the cellular antenna. For mapping use Android Auto with an Open Street Map based app.
Re: (Score:2)
I assume if you decline the eula, you won't have access to any of the infotainment.
Come to think of it, if you buy a second hand car, aren't presented with any kind of agreement or even being told you're being tracked, because the previous owner agreed it to already, and they continue to track you, sounds like a privacy breach to me.
I remember some early cars with touch screens prompted the driver every time the car was turned on to accept that using a screen while driving is dangerous. The manufacturers kn
Re: (Score:3)
Good luck finding another car connected to the internet that won't harvest your data. I imagine you'll have zero sucess.
You can opt-out. Doing so will disable a lot of functionality, but if all you want to do is drive your car it is entirely doable.
For example, declining Toyota's Master Data Consent [toyota.com]. Subaru has similar opt-out, plus they go further and remotely (and irreversibly) will brick your Starlink module if you ask.
Re: New Privacy Policy Today - Give us your Data (Score:2)
Re: (Score:2)
Just disconnect the cell antenna.
Re: (Score:2)
Subaru just pushed out a new version of their app that contains a privacy policy that explicitly allows them to harvest the data and sell it to 3rd party companies. So, if you want to use the features of the vehicle that Subaru sold you on, you must give up your right to privacy and allow Subaru to profit from your personal information.
By the looks of things that privacy policy should contain letting 3rd parties borrow your car without permission, also.
Re: (Score:2)
So what if you buy the car and then discover the privacy policy, refuse it, and return the car because the smart features you were sold don't work?
It wouldn't even help if dealers showed you the terms before buying, because when Subaru changes them you could refuse and need to return the car.
The best option is to make this illegal, but failing that returning cars that the dealer can then only resell as used is the best option.
Re: (Score:2)
Of course they did. But only in America where that practice is common and accepted. What you gonna do pleb, walk? In America of all places?
Maybe you should stop complaining about companies doing what is normal for companies to do and start advocating for consumer protection laws.
Nope, just nope (Score:5, Insightful)
This is why I will not ever purchase a vehicle that is connected back to the manufacturer. It looks like used cars for the rest of my life. All of this IoT shit is a complete ass-rape.
Re: (Score:2)
If the legendary "Invisible Hand of the Market" has anything to say about it, there will soon be a range of products to allow car owners to disable, remove, spoof, and otherwise fuck with newer vehicles' incessant efforts to "phone home". It wouldn't surprise me if legal consequences of current and past privacy rapes (such Texas vs GM over data tracking) wind up forming the basis of strong legal challenges to any manufacturer's efforts to make such interference illegal.
Re: (Score:3)
The thing about the invisible hand of the market is that it needs a market to exist. Like it or not outside of the Slashdot bubble virtually no one gives a shit. In fact they welcome their connected cars with their updated traffic announcements, their Spotify connectivity, the ability to start the heating system before getting into the car etc.
Re:Nope, just nope (Score:4, Insightful)
I plan to (a) pull the transmitter fuse if possible, (b) (test and then) install a switch to electronically disable the antenna, or (c) depower or (as a last resort) remove the SIM card.
I'd still like my car to occasionally talk for updates and such every 6 months or more, but certainly not milli-second-ly. I'd MUCH rather have it connect tethered thru my phone though which I could enable/disable at will. My car doesn't need to be a roving hot-spot or have it's own data plan.
Re:Nope, just nope (Score:4, Interesting)
If your car doesn't have a network connection, you don't need updates to protect you from known vulnerabilities being exploited.
I bought a Roomba, nice little toy, keeps the floors clean while I'm at work. Because I'm me, I firewalled the thing and didn't let it phone home. Instead, I controlled it with my home security system. Had a nice map and everything.
Turns out, iRobot didn't like people accessing the map directly instead of going through their web site. They issued a mandatory update to break the ability to pull coordinates directly from the device. I found this out when I made the mistake of letting the thing access the Internet for five minutes, and now I have no mapping.
NEVER trust the manufacturer. It doesn't matter what you paid for, they can and will remove or alter functionality at will if you give them the opportunity. They can and will exploit every possible means to extract profit from your possession of their product.
Re: (Score:3)
I'm surprised you can remove the SIM cards at all. For industrial applications you can get a SIM on a chip, rather than a card. Especially for automotive use where vibration is a problem, eliminating the socket is very useful.
Re: (Score:2)
Yeah! Impact and vibration were never a problem for cellphones, so nobody ever solved this problem before.
Re: (Score:2)
Vibration inside a car is rather different, especially when the unit has to be securely bolted to the frame.
Re: (Score:2)
It's very common for the PCB in an automotive control module to be shock mounted. It's also not different because it is often literally the same vibration - if your cellphone is in your car, and sitting on a hard surface like most center consoles, it experiences automotive style vibration.
Re: (Score:2)
They often pot those modules, which you can't really do with a socket. Another reason why the chips are favoured.
Re: Nope, just nope (Score:2)
No. Most automotive module PCBs are not potted and never were.
Re: (Score:2)
YOU AND ME BOTH!!!!
My current car is a 2013 Hyundai Elantra. I've come into some money and would like to get a bit newer/lower mileage car, perhaps another Hyundai, as this one has been a great car. However I WILL NOT consider buying a new car or ANY car with this spyware crap on it. If I decide I want internet in the car, I'll get one of the little 5g hotspots..
Right-to-Repair (Score:1)
Subaru is among the companies that wailed and gnashed their teeth when Massachusetts (and perhaps other states) passed laws saying that yes, right-to-repair does extend to cars, even cars with fancy computerized gewgaws, and manufacturers need to make those features accessible to independent shops to the point that they can repair them.
Subaru's solution was to simply disable those features on cars it sold in/around Massachusetts, if I recall. It and other manufacturers complained loudly that making things
Disable telematics? (Score:2)
Remember all the scary stuff on Chinese cars? (Score:3)
I remember people saying to never buy Chinese cars because they track you 24/7, they can be remotely disabled, and they don't have the ability to be repaired, especially if the fault is one of many ECUs on the CAN, where the board isn't made anymore.
Now, we have this, with location data tracked, hacked, and sold, and the ability for bad guys to remotely kill cars. Not it seems all country car makers have jumped on this dystopian bandwagon. The same issue with fixing vehicles now applies here.
I wonder if/when this is going to change. Seems like with a recession in progress, car makers would be trying to lower prices, not just keep reaching for the stratosphere with pricing and add-on fees as well as subscriptions.
If a car company came into the US and offered basic vehicles [1] with decent safety features, and was easily repairable, they would be at a Tesla level in no time flat due to sales. This doesn't have to be another Canyonero sized behemoth... something like a Honda Element would sell like hotcakes, especially if it could be fitted with a pop-top or a Westfalia-like conversion (with shower, bathroom, etc) for camping trips. For urban areas, something like a 6000 SUX with a Magnavolt car alarm system would be ideal, if it could be easily repaired.
[1]: ICE or PHEV preferably, as the US doesn't really have a solid electrical grid in some places. Maybe even something like the BMW i3 and have an EV with a range extender. Something simple and easily maintained by anyone with a can of Duff beer and a 10mm socket wrench can work with, with ECU firmware and board schematics open source, so the vehicle can be kept going long after the maker doesn't bother with parts.
Ha! (Score:2)
I'm glad my 2007 Subaru Outback doesn't have any of these software systems. It has just enough rust to keep the ECU attached to the car. If anything is going to disable the car and prevent me from driving it, it will be the car itself... because its so old.
can gut it (Score:2)
It's possible to disconnect this trash, but it's annoying to remove a big part of the dashboard and install a jumper.