This Subaru Hack Exposed Location Data and Allowed Remote Access

We know that cars are better connected than ever before, which is great when you want to remember where you parked or start defrosting the vehicle windows while you're still in bed—but this modern tech comes with security and privacy concerns, as a new hack of Subaru cars and their Starlink software has shown.

Security researchers Sam Curry and Shubham Shah explain in a blog post how they were able to remotely hack into the Starlink connected vehicle service run by Subaru. Specifically, they targeted software on Curry's mom's car, but the same platform operates across Subaru vehicles in the U.S., Canada, and Japan.

With access to the driver's surname and their attached ZIP code, email address, phone number, or license plate, Curry and Shah were able to start, stop, lock, and unlock the Subaru, as well as retrieve its current location. In addition, they could view the collected location history for a whole year (right down to parking spots).

The same hack gave access to personal information about the driver, including their address, their billing information (though not their full credit card number), and their emergency contact. Support call history, odometer readings, and previous owners of the motor could also be accessed.

Curry and Shah managed to test out the access on a Subaru belonging to one of their friends, and it worked again—all without any kind of notification or alert to the car's driver that their vehicle was being accessed. All that was needed was a successful login to the Starlink portal and some basic driver information.

Subaru login
The Subaru employee portal was targeted by the hack. Credit: Sam Curry

While the Starlink login was protected with two-factor authentication and security questions, these security measures were applied in a bespoke way that the researchers were able to get around just by modifying the website code to ignore them. In other words, there was no need to enter a password.

That's a huge amount of access to features and data from a relatively simple hack. The good news is that Curry and Shah reported the vulnerability to Subaru, and the vehicle maker patched it within 24 hours—this hack is no longer possible. However, all of this data remains accessible to Subaru employees, which raises more questions.

Subaru and your data

The original hack was done by logging into the Starlink terminal as a Subaru employee, via some detective work on LinkedIn and a little tweaking of website code. While this route of access has now been locked down, genuine Subaru staff can still get at all the information found by Curry and Shah, including the year's worth of location history.

"The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it won’t really set off any alarm bells," writes Curry. "It's part of their normal day-to-day job. The employees all have access to a ton of personal information, and the whole thing relies on trust."

Subaru locations
Subaru employees can see where you've been via Starlink. Credit: Sam Curry

Subaru told Wired that its employees, "based on their job relevancy," can access location data—in the case of contacting first responders when a collision is detected, for example (though that hardly requires a year of data). Privacy, security, and NDA agreements are signed by these employees, Subaru says.

You can read the Subaru privacy policies here and here. You'll notice there's a lot of data collected about you and your vehicle via Starlink, including where it starts and stops, vehicle speeds, and diagnostic information. Use a Subaru website or app, and you're allowing access to a whole new swath of data, including data collected by the microphones and cameras on your devices.

Even worse, these policies apply to any passengers in a Subaru—Firefox developer Mozilla has a comprehensive breakdown here (note this includes Subaru's apps and website as well as Starlink). While Subaru promises not to sell your data to third-parties, and says it requires the information to improve support and detect criminal activity, it can target you with ads, communications, and promotions.

Subaru forms
The researchers were able to get at a lot of user data. Credit: Sam Curry

There are steps you can take to limit some of this data collection. You can, of course, cancel your Starlink subscription, but then you miss out on features such as emergency assistance. You can also uninstall any Subaru-related apps from your phone, change your marketing preferences via the MySubaru portal, and fill out this form to put certain limits on data collection and sharing in specific states—though it's not clear which data the form covers or how long existing data will be retained for.

Subaru isn't alone among car makers when it comes to security vulnerabilities and suspect privacy policies. However, it's another reminder that extra connectivity often comes with an extra cost in terms of user data—and that any decision about which car to buy next should probably come with a look at the manufacturer's data collection policies, too.



from News https://ift.tt/2hovaj9
via IFTTT

No comments:

Post a Comment

This Subaru Hack Exposed Location Data and Allowed Remote Access

We know that cars are better connected than ever before, which is great when you want to remember where you parked or start defrosting the v...