A Subaru security vulnerability allowed millions of cars to track, unlock and get started. A full year of location history that you must have and accurate in within five meters. . .
Security researcher Sam Curry has reached an agreement with his mother: he would buy a sub -Uru if she allowed him to hack her.
He started looking for bugs in the Mysubaru mobile app, but couldn’t do it. However, it didn’t stop him.
From my beyond pleasure of working with automakers, I knew there could be public apps for employees with broader permissions than customer-facing apps. With that in mind, I replaced my focus and began looking for other Subaru-related websites to visit.
A friend helped him locate a promising subfield. Of course, it required a worker login, however some digging in a JavaScript directory revealed the insecure password reset code. All they needed was a valid email from the workers, which they discovered with a quick internet search. They reset the password and were then able to log in.
The only remaining barrier is the 2FA coverage, however, it turned out to be trivial to defeat, because it was executed in the client’s appearance and can be eliminated locally. At that moment, they were in that.
The left navbar had a ton of different functionality, but the juiciest sounding one was “Last Known Location”. I went ahead and typed in my mom’s last name and ZIP code. Her car popped up in the search results. I clicked it and saw everywhere my mom had traveled the last year.
It appeared that they could also remotely take control of any Subaru with Starlink installed, and they tested this by getting permission to target a friend’s car.
She sent us her license plate, we pulled up her vehicle in the admin panel, then finally we added ourselves to her car. We waited a few minutes, then we saw that our account had been created successfully.
Now that we had access, I asked if they could take a look at the doors and see if anything happens to their car. I sent the command “unlock”. Then they sent us this video.
Not only did they have the car, but its owner didn’t even get a message that a legal user had been added to their account.
Curry sent a report to Subaru, and the company had it fixed by the next day, also confirming that there was no evidence of anyone else having gained access.
Perhaps the most disturbing element in history is Curry’s conclusion: it was difficult for him to write the article because he did not think he would surprise others in the advertising industry. security.
Most readers of this blog are already working in the security field, so I literally don’t think password reset or 2FA bypass techniques are new to anyone. What I thought was sharing the value was the effect of the bug itself and how connected car systems actually worked.
The automotive industry has the particularity that an 18-year-old worker from Texas can question the billing data of a vehicle in California, and this would probably not set off any alarms. This is part of their overall daily work. All employees have access to a large amount of non-public data and it’s all built on trust.
It seems really hard to really secure these systems when such broad access is built into the system by default.
Photo: Subaru. Gifsam Curry.
Check out 9to5Mac on YouTube for more Apple news:
Ben Lovejoy is a British and European generation of 9to5Mac. He is known for his opinion pieces and newspapers, which explore his experience with Apple products over time, for a more comprehensive critique. He also writes fiction, with two technotriller novels, some science fiction short films and a romantic comedy.