As the automotive industry becomes smarter and more connected, the number of security breaches increases. A new report shows how vulnerable connected cars can be.
A security researcher named Sam Curry recently published a blog post explaining how he and a colleague (Shubham Shah) managed to compromise the Starlink software system used by Subaru cars. Starlink powers the infotainment center in Subaru vehicles and allows users to remotely control their registered cars, which can include locking/unlocking and remote vehicle starting.
Curry explained that an exploit in Subaru’s employee login page for the Starlink system allowed him to identify a valid employee’s email address, change the employee’s password and bypass any Two-factor authentication type to log in.
Once in the Starlink system, Curry found he could locate any registered Subaru vehicle based on any of the following: the customer’s name, phone number, email address or vehicle identification number (VIN). (Note that VINs can easily be found from a license plate.) Once the car was found, all of this information was ready to go. Other information available includes billing data, emergency contacts, and more.
Not only was this personal data easily accessible, but the vehicle’s location history over the past year was also available and, according to Mr Curry, easy to download and trace. This location data included a timestamp, vehicle odometer, and GPS coordinates (with an accuracy of approximately 15 feet or 5 meters).
-Even more worrying, Mr. Curry was able to find a friend’s car in the database and add his personal credentials as an authorized Starlink user. Once it has been added, it can control the car remotely. He was able to lock and unlock the car, start it remotely and determine its position. The affected Starlink user did not receive any notification that another user had been added to the car’s Starlink account.
Subaru appears to have since patched the vulnerability, discovered by Curry in November 2024. The automaker released a patch within 24 hours of receiving Mr. Curry’s report, to its credit. Mr. Curry’s message reminds us that even though our cars are smart, they can be very vulnerable to thieves and other bad actors.
Buy a CARLOCK 4G OBD tracker on Amazon.
