- Right now you can save up to $400 on the OnePlus Open smartphone (but you'll want to hurry)
- New tweak to Linux kernel could cut data center power usage by up to 30%
- This Ring model is the only indoor security camera you'll ever need
- Is DeepSeek's new image model another win for cheaper AI?
- The best HP laptops: Expert tested
Subaru Bug Could Have Allowed Hackers to Track and Hijack Cars
Security researchers have revealed how attackers could exploit a vulnerability in Subaru vehicle infotainment systems to remotely track and even unlock and start connected cars.
Ethical hacker, Sam Curry, explained in a blog post late last week that he found an arbitrary account takeover flaw in the admin portal for Subaru’s Starlink in-vehicle service, enabling him to hijack a Subaru employee account.
Curry was then able to bypass multi-factor authentication (MFA) by removing the client-side overlay from the user interface.
“There were a ton of other endpoints,” he said. “One of them was a vehicle search which let you query a customer’s last name and zip code, phone number, email address, or VIN number (retrievable via license plate) and grant/modify access to their vehicle.”
Effectively, this allowed Curry to track and even hijack “pretty much any Subaru in the US, Canada and Japan.”
Read more on connected car security: US Mulls Ban on Russian, Chinese Parts in Connected Vehicles
It enabled him to:
- Remotely start, stop, lock, unlock and retrieve the current location of any vehicle
- Retrieve any vehicle’s complete location history from the past year, accurate to within five meters and updated each time the engine starts
- Query and retrieve the personally identifiable information (PII) of any customer, including emergency contacts, authorized users, physical address, billing information and vehicle PIN.
- Access miscellaneous user data including support call history, previous owners, odometer reading, sales history and more
Fortunately, Subaru responded to Curry’s outreach almost immediately and patched the offending vulnerability within 24 hours. However, the researcher aired wider concerns about the industry.
“The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it won’t really set off any alarm bells. It’s part of their normal day-to-day job. The employees all have access to a ton of personal information, and the whole thing relies on trust,” he concluded.
“It seems really hard to secure these systems when such broad access is built into the system by default.”
Image credit: MMCRP / Shutterstock.com
