Shah and Curry’s investigation that led to their discovery of the Subaru vulnerabilities began when they discovered that Curry’s mother’s Starlink app connected to the Subarucs.com domain, which they realized was an administrative domain for employees. Searching that site for security flaws, they discovered that they could reset employees’ passwords simply by guessing their email address, which gave them the ability to take over the account of any employee whose email they could find. The password reset functionality requested answers to two security questions, but they discovered that those answers were verified with code that ran locally on a user’s browser, not on Subaru’s server, allowing the safeguard to be bypassed. easily overlooked. “There were really multiple systemic failures that led to this,” Shah says.
The two investigators say they found the email address for a Subaru StarLink developer on LinkedIn, took over the employee’s account and immediately discovered they could use that employee’s access to search for any Subaru owner by last name, zip code , email address, phone number or license plate to access your Starlink settings. Within seconds, they could reassign control of that user’s vehicle’s Starlink features, including the ability to unlock the car, honk the horn, start its ignition, or locate it, as shown in the video below.
Those vulnerabilities alone, for drivers, present serious theft and security risks. Curry and Shah point out that a hacker could have targeted a victim for stalking or stealing, looked up the location of someone’s vehicle, and then unlocked their car at any time, although a thief would have to somehow use a separate technique to disable the immobilizer. of the car, The component that prevents it from being driven without a key.
Those car hacking and tracking techniques alone are far from unique. Last summer, Curry and another researcher, Neiko Rivera, demonstrated to wiring They could pull off a similar trick with any of the millions of vehicles sold by Kia. In the previous two years, a larger group of researchers, of which Curry and Shah are part, discovered web-based security vulnerabilities that affected cars Sold by Acura, BMW, Ferrari, Genesis, Honda, Hyundai, Infiniti, Mercedes-Benz, Nissan, Rolls Royce and Toyota.