Some fascinating research out on hacking a Subaru via STARLINK connected vehicle service.
"On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK connected vehicle service that gave us unrestricted targeted access to all vehicles and customer accounts in the United States, Canada, and Japan.
Using the access provided by the vulnerability, an attacker who only knew the victim’s last name and ZIP code, email address, phone number, or license plate could have done the following:
Remotely start, stop, lock, unlock, and retrieve the current location of any vehicle.
Retrieve any vehicle’s complete location history from the past year, accurate to within 5 meters and updated each time the engine starts.
Query and retrieve the personally identifiable information (PII) of any customer, including emergency contacts, authorized users, physical address, billing information (e.g., last 4 digits of credit card, excluding full card number), and vehicle PIN.
Access miscellaneous user data including support call history, previous owners, odometer reading, sales history, and more.
After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously."
https://samcurry.net/hacking-subaru#introduction
#cars #security #subaru @starlink
@[email protected] Easily hackable cars + self-driving public beta test
What could go wrong 🤔
@[email protected] Why would Subaru need to store at least ten years of precise location history? Is this for law enforcement requests?
@[email protected] are there any ways to completely turn off such “services” OnStar, and other such ‘always connected’ services do have beneficial uses for customers but I wonder what really gets turned off if I decline the “monitoring” offered by my Nissan Leaf.
I will read Curry’s article for clues as to whether the Subaru Starlink vulnerability may be an instance of a class of such vulnerabilities.@[email protected] Not very nice of him to release the blog post 10 months before telling them, though.
/s
@[email protected]
Thanks, harvested that as an example of growing cyber vulnerabilities@[email protected]
I still say that the many stories like this would create a huge market for anyone offering cars with privacy features & guarantee.
All manufacturers do it… shamelessly.
They install connectivity as “safety” but it’s really about marketing and monetizationI’m beginning to think that disabling car telemetry might not be a good idea as a security measure.
@[email protected] find one innTeslas please
Shubs is the GOAT
@[email protected] wait what? remotely starting the car???
Idk about other countries, but here it’s illegal for the driver to walk away from a car while the car’s engine is running. So the ability to turn the engine on without the driver’s physical presence sounds like something that should never be allowed…
@[email protected] Would this work if you are not signed up for the Starlink service?
Asking for a friend.
@[email protected] Connected cars were a mistake.
@[email protected] on top of that: Starlink has a known issue with parasitic draw on batteries. Subaru has ack’d it, but hasn’t done anything about it. Here’s one post about it, and the answer is to remove the DCM fuse for Starlink. Just a good move all around to disable it I guess.
https://www.reddit.com/r/Subaru_Outback/comments/fzny5f/2017_outback_parasitic_battery_drain/
@[email protected] It’s Jeeps and Sprint all over again.
