A Subaru security vulnerability allowed millions of cars to be remotely tracked, unlocked, and started. A full year’s worth of location history was available, and was accurate to within five meters …
Security researcher Sam Curry reached an unusual deal with his mother: he would buy her a Subaru if she would let him try to hack it.
He started by looking for flaws in the MySubaru Mobile App, but couldn’t find any. He didn’t stop there, however.
From my past experience with car companies, I knew there could be publicly accessible employee-facing applications with broader permissions than the customer-facing apps. With that in mind, I decided to shift focus and started hunting for other Subaru-related websites to test.
A friend helped him find a promising-looking sub-domain. It of course required an employee login, but some digging around in a Javascript directory revealed insecure password reset code. All they needed then was a valid employee email address, which they found with a quick web search. They reset the password, and were then able to login.
The one remaining barrier was 2FA protection, but this turned out to be trivial to defeat, as it ran on the client side and could be removed locally. At that point they were in.
The left navbar had a ton of different functionality, but the juiciest sounding one was “Last Known Location”. I went ahead and typed in my mom’s last name and ZIP code. Her car popped up in the search results. I clicked it and saw everywhere my mom had traveled the last year.
It appeared that they could also remotely take control of any Subaru with Starlink installed, and they tested this by getting permission to target a friend’s car.
She sent us her license plate, we pulled up her vehicle in the admin panel, then finally we added ourselves to her car. We waited a few minutes, then we saw that our account had been created successfully.
Now that we had access, I asked if they could peek outside and see if anything was happening with their car. I sent the “unlock” command. They then sent us this video.
Not only did they have control of the car, but its owner didn’t even receive a message that an authorized user had been added to their account.
Curry sent a report to Subaru, and the company had it fixed by the next day, also confirming that there was no evidence of anyone else having gained access.
Perhaps the most worrying part of the story is Curry’s conclusion – that it was hard to even write the post because he didn’t think any of it would surprise others in the security industry.
Most readers of this blog already work in security, so I really don’t think the actual password reset or 2FA bypass techniques are new to anyone. The part that I felt was worth sharing was the impact of the bug itself, and how the connected car systems actually work.
The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it won’t really set off any alarm bells. It’s part of their normal day-to-day job. The employees all have access to a ton of personal information, and the whole thing relies on trust.
It seems really hard to really secure these systems when such broad access is built into the system by default.
Photo: Subaru. GIF via Sam Curry.
FTC: We use income earning auto affiliate links. More.
