Ethical hackers Sam Curry and Shubham Shah successfully infiltrated Subaru's Starlink service, gaining unlimited access to customer accounts and vehicles in the U.S., Canada, and Japan. Their breach allowed them to remotely control various vehicle features and access sensitive customer information, including partial credit card numbers and detailed vehicle histories. After reporting the vulnerability, Subaru addressed the issue within 24 hours. This incident is part of a broader trend where connected vehicles pose significant privacy risks, as shown in previous research, highlighting the urgent need for improved cybersecurity measures in the automotive industry.
For example, the two could remotely turn on, stop, lock, unlock and track the location of each individual vehicle. Location history for the past year could also be tracked to within an accuracy of 5 meters.
As befits ethical hackers, the vulnerability was reported to Subaru, which closed the leak within 24 hours. It is unknown whether ill-willing hackers ever accessed the Japanese automaker's Starlink systems.
Curry and Shah managed to find the domains and subdomains of the Subaru system with relative ease. Soon, they found that there was direct access to an admin panel, where resetting a password was child's play.
Previous research by Mozilla has already shown that modern cars are privacy nightmares. An awful lot of personal data could be tracked with the information that 'connected cars' pass on to their manufacturer.
Collection
[
|
...
]