Security researchers have revealed a major vulnerability of the Subaru Starlink system, which has been able to track the location of the vehicle in the past year so that specific functions can be controlled remotely. Although the flaws have been revised, this discovery raises serious concerns about the privacy of the connected vehicle, and the access automobile company provides employees a sensitive customer data.
All began when security researchers, Sam Curry, bought Subaru for his mother. Curry, known in a connected system survey, traded with his mother. She hacked him at the time. In November last year, he finally tested the Subaru Pessa Internet connection function in 2023. According to Ars Technica, with the help of researchers, SHUBHAM SHAH, it took less time to reveal the weakness of the Subaru’s web portal.
This pair has discovered a vulnerability that allows you to re -assign any device to be selected to re -assign the control of the star link function. They were able to unlock the car, sound the corners, and even start igniting. Probably the most concerned, they were able to access the detailed position data of the year when the car was used. This information has been revealed in all places visited by Curry’s mother, a specific parking space and a personal stop like a church and a doctoral room.
A 1023 Subaru Impreza position data that can be accessed from the Subaru employee management portal because security vulnerabilities have been identified. Credit: Sam Curry
“You can get at least one year of a car for a car, so it will be multiple times a day, sometimes multiple times,” Curry explained. “There is a scenario that can weapon this for someone, whether someone is deceived or abandoned, or is a part of a political group.”
Subaru Starlink’s vulnerabilities are exposed to remote hacking: researchers clarify one -year tracking vulnerabilities and privacy risks
CURRY and SHAH detailed the results of the survey in the blog post released last week, reset employee account qualification information and access vehicle data due to the vulnerability of the Subaru website designed for employees. It has become. By utilizing these weaknesses, they can track Subaru vehicles equipped with Starlink in the United States, Canada, or Japan. Hack depended on a series of mistakes: e -mail -based password reset, security questions verified, and extensive access to customer data.
After being warned in November, Subaru immediately dealt with the defect. The company states: “After being notified by an independent security researcher, [Subaru] Discovering the STARLINK service vulnerabilities, the third party may be able to access the Starlink account. The vulnerability was immediately closed and customer information was not accessed without approval. “
Nevertheless, this incident emphasizes how much data the car manufacturer can collect and who can access it. Subaru has confirmed that some employees can access past location data and claim that this is needed to share the location of the vehicle after the accident. However, curry questioned the need for such a wide range of data.
“I have the expectation that Google employees are not just passing your email with Gmail,” he said. “However, there are literally buttons on the Subaru management panel so that employees can display their location history.”
Subaru’s situation is not isolated. The work of a researcher is a part of a wide range of trends rather than clarifying the vulnerabilities of the connected vehicle. For the past two years, Curry and his colleagues have identified similar flaws in Acura, toyota, Hyundai, KIA, and some luxury brands. Many of these cases include the possibility of remote control of the vehicle function, but the wide collection of Subaru’s location data stand out.
This discovery will be added to the increasing concern about data practices in the automotive industry. In September, Mozilla Foundation calls Modern Cars “Privacy Nightmare”, and 92 % of automakers can hardly control data collection and reserve the right to sell or share data collected by 84 %. I am reporting. Subaru refused to sell location data.
A wider point is that connected cars are becoming more and more confidential personal data repositories. The curry survey results emphasize the need for better protection means to protect drivers from potential abuse, both hackers and permitted access. The balance between functionality and privacy is still an important task as the car company expands the connected services.
Source link
