My wife and I are doing literally everything and anything possible to keep our non connected vehicle on the road as long as possible. We both don’t trust carmakers when it comes to our data. This is a prime example of why we don’t trust them. We also are afraid of the security implications of having a car connected to the Internet 24/7. And this story is an example of why we are afraid:
On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK connected vehicle service that gave us unrestricted targeted access to all vehicles and customer accounts in the United States, Canada, and Japan.
Using the access provided by the vulnerability, an attacker who only knew the victim’s last name and ZIP code, email address, phone number, or license plate could have done the following:
- Remotely start, stop, lock, unlock, and retrieve the current location of any vehicle.
- Retrieve any vehicle’s complete location history from the past year, accurate to within 5 meters and updated each time the engine starts.
- Query and retrieve the personally identifiable information (PII) of any customer, including emergency contacts, authorized users, physical address, billing information (e.g., last 4 digits of credit card, excluding full card number), and vehicle PIN.
- Access miscellaneous user data including support call history, previous owners, odometer reading, sales history, and more.
After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously.
Okay. I will say that it is good that it was patched quickly when this is reported. I will also say that nobody can say with 100% certainty that this was never exploited in any way. And I will say that this implies that Subaru needs to step up their vulnerability testing as the data listed above is the holy grail of data that anyone from a car thief, a disgruntled ex-partner, to an intelligence agency would want.
And what really bothers me is the way that this post concludes:
When writing this, I had a really hard time trying to do another blog post on car hacking. Most readers of this blog already work in security, so I really don’t think the actual password reset or 2FA bypass techniques are new to anyone. The part that I felt was worth sharing was the impact of the bug itself, and how the connected car systems actually work.
The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it won’t really set off any alarm bells. It’s part of their normal day-to-day job. The employees all have access to a ton of personal information, and the whole thing relies on trust.
It seems really hard to really secure these systems when such broad access is built into the system by default.
So I will say this to a car makers who happen to read this post. You will have to pry our current non-connected car out of the cold dead hands of my wife and I. And the only way that we will consider anything new is if all of you prove on a continuous basis that you’re able to keep this data safe and secure. Because these days, it’s not just about what creature comforts a car has, or the fuel economy that it gets. It’s also about how the data that is generated is secured. Until you do that part well, we’ll keep the car that we have as that will allow my wife and I to sleep better at night.
UPDATE: Lawrence Pingree, VP, Dispersive had this comment:
“As with modern times, most and many things are tracked. It’s important to point out that in most cases, the tracking is anonymous in nature — without correlations with other types of data, tracking is just one data point. I think most practitioners and customers would want the select ability and opt-in/opt-out authority for their privacy. Where things get even more scary to security practitioners is if the backend systems like AI for example, become connected to cars and execute movement or control over a vehicle. Both the car manufacturer and the liability of the driver could be questioned in such a potential eventuality. Those become blatant safety issues. It’s important that manufacturers get the data they need, but at the same time, customers have more control so that the data isn’t misused. The movie Leave the World Behind portrays future Tesla cars being compromised and running them down the road, colliding with each other. That’s much scarier.”
Subaru STARLINK Vulnerability Allowed Cars To Be Tracked, Unlocked, And Started… WTF?
Posted in Commentary with tags Hacked, Subaru on January 23, 2025 by itnerdMy wife and I are doing literally everything and anything possible to keep our non connected vehicle on the road as long as possible. We both don’t trust carmakers when it comes to our data. This is a prime example of why we don’t trust them. We also are afraid of the security implications of having a car connected to the Internet 24/7. And this story is an example of why we are afraid:
On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK connected vehicle service that gave us unrestricted targeted access to all vehicles and customer accounts in the United States, Canada, and Japan.
Using the access provided by the vulnerability, an attacker who only knew the victim’s last name and ZIP code, email address, phone number, or license plate could have done the following:
After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously.
Okay. I will say that it is good that it was patched quickly when this is reported. I will also say that nobody can say with 100% certainty that this was never exploited in any way. And I will say that this implies that Subaru needs to step up their vulnerability testing as the data listed above is the holy grail of data that anyone from a car thief, a disgruntled ex-partner, to an intelligence agency would want.
And what really bothers me is the way that this post concludes:
When writing this, I had a really hard time trying to do another blog post on car hacking. Most readers of this blog already work in security, so I really don’t think the actual password reset or 2FA bypass techniques are new to anyone. The part that I felt was worth sharing was the impact of the bug itself, and how the connected car systems actually work.
The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it won’t really set off any alarm bells. It’s part of their normal day-to-day job. The employees all have access to a ton of personal information, and the whole thing relies on trust.
It seems really hard to really secure these systems when such broad access is built into the system by default.
So I will say this to a car makers who happen to read this post. You will have to pry our current non-connected car out of the cold dead hands of my wife and I. And the only way that we will consider anything new is if all of you prove on a continuous basis that you’re able to keep this data safe and secure. Because these days, it’s not just about what creature comforts a car has, or the fuel economy that it gets. It’s also about how the data that is generated is secured. Until you do that part well, we’ll keep the car that we have as that will allow my wife and I to sleep better at night.
UPDATE: Lawrence Pingree, VP, Dispersive had this comment:
“As with modern times, most and many things are tracked. It’s important to point out that in most cases, the tracking is anonymous in nature — without correlations with other types of data, tracking is just one data point. I think most practitioners and customers would want the select ability and opt-in/opt-out authority for their privacy. Where things get even more scary to security practitioners is if the backend systems like AI for example, become connected to cars and execute movement or control over a vehicle. Both the car manufacturer and the liability of the driver could be questioned in such a potential eventuality. Those become blatant safety issues. It’s important that manufacturers get the data they need, but at the same time, customers have more control so that the data isn’t misused. The movie Leave the World Behind portrays future Tesla cars being compromised and running them down the road, colliding with each other. That’s much scarier.”
Leave a comment »