Mastodawn

LazyLombax Jan 23, 2025

Some fascinating research out on hacking a Subaru via STARLINK connected vehicle service.

"On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK connected vehicle service that gave us unrestricted targeted access to all vehicles and customer accounts in the United States, Canada, and Japan.

Using the access provided by the vulnerability, an attacker who only knew the victim’s last name and ZIP code, email address, phone number, or license plate could have done the following:

Remotely start, stop, lock, unlock, and retrieve the current location of any vehicle.

Retrieve any vehicle’s complete location history from the past year, accurate to within 5 meters and updated each time the engine starts.

Query and retrieve the personally identifiable information (PII) of any customer, including emergency contacts, authorized users, physical address, billing information (e.g., last 4 digits of credit card, excluding full card number), and vehicle PIN.

Access miscellaneous user data including support call history, previous owners, odometer reading, sales history, and more.

After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously."

https://samcurry.net/hacking-subaru#introduction

#cars #security #subaru @starlink

Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel

On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United States, Canada, and Japan.

samcurry.net

Rylie Stargazer 🏳️‍⚧️Jan 23, 2025

@briankrebs wow that is entirely too much data to collect, first of all, and second of all entirely too much data to be accessible to any employee.

Alexa Fontanilla Jan 24, 2025

@Specialist_Being_677
#PostOfTheWeek (season 2):
On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK connected vehicle service that gave us unrestricted targeted access to all vehicles and customer accounts in the United States, Canada, and Japan.

Using the access provided by the vulnerability, an attacker who only knew the victim’s last name and ZIP code, email address, phone number, or license plate could have done the following:

pkprotoplasm (MOVED)Jan 23, 2025

@briankrebs Why would Subaru need to store at least (edit) a year of precise location history? Is this for law enforcement requests?

Edit:misread

kworker 💻🏴🌱Jan 23, 2025

@pkprotoplasm @briankrebs I don't think it's an actual requirement, but law enforcement absolutely use these kind of data sources.

CyberFrog Jan 23, 2025

@pkprotoplasm @briankrebs the data can be monetized, it is very profitable to spy on people

Veronica Olsen Jan 23, 2025

@froge @briankrebs @pkprotoplasm The whole data broker industry needs to be criminalised and treated as international organised crime.

Luna chan Jan 23, 2025

@veronica It pretty much is barely leagle.

pkprotoplasm (MOVED)Jan 23, 2025

@froge @briankrebs In my experience, at the scale we’re talking about here, the data is anonymized and transferred to data customers far more frequently than annually, so there’s not really a need to keep it that long just for a data customer.

CyberFrog Jan 23, 2025

@pkprotoplasm @briankrebs my general understanding is that they keep large amounts of historical data (they being car companies here) because they can run ML models and certain long-term behavior analysis over it sometimes, and occasionally this results in innovations like better routing or new ways to charge people money lol

stux⚡️Jan 23, 2025

@briankrebs Easily hackable cars + self-driving public beta test

What could go wrong 🤔

(((Klefstadmyr)))Jan 23, 2025

@briankrebs Not very nice of him to release the blog post 10 months before telling them, though.

/s

Landwomble Jan 23, 2025

@klefstadmyr @briankrebs looks like a typo, the blog is dated 23rd Jan 2025 i.e. today

(((Klefstadmyr)))Jan 23, 2025

@Landwomble @briankrebs /s

Jen, MPH has moved see bio Jan 23, 2025

@klefstadmyr looks like that was a typo that has since been fixed. The blog post release date is Jan 23, 2025, which is today.

AlexanderMars Jan 23, 2025

@briankrebs fuck that, so how do we disable this Starlink shit?

Patrick Morris Miller Jan 23, 2025

@AlexanderMars @briankrebs Find the feed line of the antenna and apply wire cutters?

🇪🇺 Paul Schoonhoven 🍋🍉Jan 23, 2025

@AlexanderMars with al little luck it must be possible to block the antenna. 😏
@briankrebs

otto Jan 23, 2025

@briankrebs are there any ways to completely turn off such "services" OnStar, and other such 'always connected' services do have beneficial uses for customers but I wonder what really gets turned off if I decline the "monitoring" offered by my Nissan Leaf.
I will read Curry's article for clues as to whether the Subaru Starlink vulnerability may be an instance of a class of such vulnerabilities.

Michael ᚋᚔᚉᚆᚓᚐᚂ Jan 23, 2025

@briankrebs @Nicovel0 Smart cars are not very smart

carstenraddatz Jan 23, 2025

@briankrebs The scale of this is near endless, as exemplified by #volksdaten with VW brands last year (#38c3 talk)- though there was no backchannel then.

Sterling Jan 23, 2025

@briankrebs
I still say that the *many* stories like this would create a huge market for anyone offering cars with privacy features & guarantee.
*All* manufacturers do it... shamelessly.
They install connectivity as "safety" but it's really about marketing and monetization

JMShouts Jan 23, 2025

@briankrebs SMH

j-r conlin Jan 23, 2025

Gonna guess this is pretty much the same vulnerability that Kia had a while ago.

Also going to bet that it's not just Kia and Subaru that have this vulnerability.

(Gotta pad those VINs, kids.)

•iamwe•Jan 23, 2025

@briankrebs Wonder if that can apply to voting machines in the US.

contrasocial Jan 23, 2025

You can physically disconnect the antenna for telemetry if you're committed. Cannot say whether it voids your warranty or not (you could fry it and make it looklike an accident maybe?)

https://www.subaruoutback.org/threads/disconnecting-your-telematics-starlink-antenna.519259/

bluGill Jan 23, 2025

@starlink @briankrebs

In the US is only voids the warranty on the things that need the antenna. But you may need a lawyer to enforce this.

Glad it wasn't exploited.

I have a Subaru with their STARLINK stuff in it, but luckily it's a manual so it has none of the remote start/stop capabilities.

Anne Ominous Jan 23, 2025

@briankrebs at least one thing that is pretty effin rad about riding my track bike - it cannot be hacked remotely by some fckwad
and the bike doesnt collect any GD data

BeeCycling has moved Jan 23, 2025

@briankrebs A modern car is just a mobile data breach.

Eden 💀Chaos Incarnate Jan 23, 2025

Shubs is the GOAT

Dofain Jan 23, 2025

@briankrebs @noxypaws I wonder what's the maximum voltage the antenna can support...

Wolf480pl Jan 23, 2025

@briankrebs wait what? remotely starting the car????

Idk about other countries, but here it's illegal for the driver to walk away from a car while the car's engine is running. So the ability to turn the engine on without the driver's physical presence sounds like something that should never be allowed...

Eric Marsh Jan 23, 2025

@briankrebs This is a good argument for privacy. It’s harder to track me if my car company has a burner email address, etc.

davedave Jan 23, 2025

Does anyone have an idea on the legal implications of this sort of poking around?
Organizations should be thankful and relieved when the curious and talented point out their dangerous mistakes, but it's easy to imagine the blunt hammer of the law swinging down instead.

RRB Jan 23, 2025

@briankrebs Would this work if you are not signed up for the Starlink service?

Asking for a friend.

Luna chan Jan 23, 2025

@briankrebs Connected cars were a mistake.

Stuart Longland (VK4MSL)Jan 23, 2025

@briankrebs Friends don't let friends implement security controls exclusively in the front-end.

@briankrebs It’s Jeeps and Sprint all over again.

Reay Jan 24, 2025

@briankrebs @tk
@FirewallDragons