Subaru security vulnerability allowed millions of cars to be tracked, unlocked, and started
9to5mac.com
A Subaru security vulnerability allowed millions of cars to be remotely tracked, unlocked, and started. A full years worth of location history was available, and was accurate to within five meters Security researcher Sam Curry reached an unusual deal with his mother: he would buy her a Subaru if she would let him try to hack it.He started by looking for flaws in the MySubaru Mobile App, but couldnt find any. He didnt stop there, however.From my past experience with car companies, I knew there could be publicly accessible employee-facing applications with broader permissions than the customer-facing apps. With that in mind, I decided to shift focus and started hunting for other Subaru-related websites to test.A friend helped him find a promising-looking sub-domain. It of course required an employee login, but some digging around in a Javascript directory revealed insecure password reset code. All they needed then was a valid employee email address, which they found with a quick web search. They reset the password, and were then able to login.The one remaining barrier was 2FA protection, but this turned out to be trivial to defeat, as it ran on the client side and could be removed locally. At that point they were in.The left navbar had a ton of different functionality, but the juiciest sounding one was Last Known Location. I went ahead and typed in my moms last name and ZIP code. Her car popped up in the search results. I clicked it and saw everywhere my mom had traveled the last year.It appeared that they could also remotely take control of any Subaru with Starlink installed, and they tested this by getting permission to target a friends car.She sent us her license plate, we pulled up her vehicle in the admin panel, then finally we added ourselves to her car. We waited a few minutes, then we saw that our account had been created successfully.Now that we had access, I asked if they could peek outside and see if anything was happening with their car. I sent the unlock command. They then sent us this video.Not only did they have control of the car, but its owner didnt even receive a message that an authorized user had been added to their account.Curry sent a report to Subaru, and the company had it fixed by the next day, also confirming that there was no evidence of anyone else having gained access.Perhaps the most worrying part of the story is Currys conclusion that it was hard to even write the post because he didnt think any of it would surprise others in the security industry.Most readers of this blog already work in security, so I really dont think the actual password reset or 2FA bypass techniques are new to anyone. The part that I felt was worth sharing was the impact of the bug itself, and how the connected car systems actually work.The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it wont really set off any alarm bells. Its part of their normal day-to-day job. The employees all have access to a ton of personal information, and the whole thing relies on trust.It seems really hard to really secure these systems when such broad access is built into the system by default.Photo: Subaru. GIF via Sam Curry.Add 9to5Mac to your Google News feed. FTC: We use income earning auto affiliate links. More.Youre reading 9to5Mac experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Dont know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel
0 Comments ·0 Shares ·35 Views