Security researcher Sam Curry discovered multiple vulnerabilities in Subaru's Starlink connected car service. Through access to an internal administrative panel, Curry and his team could remotely locate vehicles, unlock/lock doors, flash lights, honk the horn, and even start the engine of various Subaru models. The vulnerabilities stemmed from exposed API endpoints, authorization bypasses, and hardcoded credentials, ultimately allowing unauthorized access to sensitive vehicle functions and customer data. These issues have since been patched by Subaru.
This blog post by Sam Curry details a significant vulnerability discovery within the Subaru Starlink connected car service. The author, through meticulous exploration of exposed application programming interfaces (APIs) and diligent reverse engineering, uncovered a plethora of unauthorized access points that allowed for remote control and tracking of a wide range of Subaru vehicles. The vulnerability stemmed from weaknesses within the Starlink backend infrastructure, specifically concerning authentication and authorization mechanisms.
Curry's investigation began with the identification of an exposed administrative panel, seemingly designed for internal use by Subaru employees or dealership personnel. Through systematic experimentation with different API endpoints and HTTP requests, he discovered that this panel was shockingly accessible without proper credentials. This unauthorized access granted him alarming capabilities, encompassing not only the retrieval of sensitive vehicle information but also the ability to execute commands remotely.
The range of controllable functions spanned multiple critical vehicle systems. He demonstrated the capacity to remotely unlock and lock car doors, activate the horn and lights, remotely locate vehicles with impressive precision through GPS coordinates, and even initiate the remote engine start functionality. Furthermore, access to personal information linked to vehicle owners was also possible, including names, addresses, and internal vehicle identification numbers (VINs).
The potential implications of this vulnerability were substantial, representing a serious threat to vehicle security and user privacy. An attacker exploiting these weaknesses could have potentially tracked vehicle movements, manipulated vehicle functions for malicious purposes, or gained access to personally identifiable information. Curry responsibly disclosed these vulnerabilities to Subaru, who acknowledged the issue and subsequently took steps to remediate the security flaws. The post meticulously documents the technical steps involved in uncovering the vulnerabilities, providing detailed explanations of the API endpoints exploited and the HTTP requests used. This thorough documentation underscores the complexity of the vulnerability and serves as a valuable resource for security researchers and automotive manufacturers seeking to improve the security posture of connected car services. The case serves as a stark reminder of the potential risks associated with internet-connected vehicles and the importance of robust security practices in their development and deployment.
Summary of Comments ( 158 )
https://news.ycombinator.com/item?id=42803279
Hacker News users discuss the alarming security vulnerabilities detailed in Sam Curry's Subaru hack. Several express concern over the lack of basic security practices, such as proper input validation and robust authentication, especially given the potential for remote vehicle control. Some highlight the irony of Subaru's security team dismissing the initial findings, only to later discover the vulnerabilities were far more extensive than initially reported. Others discuss the implications for other connected car manufacturers and the broader automotive industry, urging increased scrutiny of these systems. A few commenters point out the ethical considerations of vulnerability disclosure and the researcher's responsible approach. Finally, some debate the practicality of exploiting these vulnerabilities in a real-world scenario.
The Hacker News post titled "Hacking Subaru: Tracking and Controlling Cars via the Starlink Admin Panel" generated a moderate amount of discussion, with several commenters focusing on various aspects of the vulnerability and its implications.
Several comments highlighted the surprising nature of the vulnerability being found in a modern connected car system. One commenter expressed disbelief that such a flaw could exist, stating incredulity at the idea that an entire fleet of cars could be controlled through an exposed admin panel. Another echoed this sentiment, emphasizing the unexpectedness of such a severe vulnerability in a production system.
A significant thread of discussion revolved around the potential consequences of this vulnerability. Some commenters speculated about the motivations and potential actions of a malicious actor exploiting this flaw. One user humorously suggested the possibility of a disgruntled employee using the access to cause widespread disruption. Others discussed the potential for theft, stalking, and other malicious activities enabled by the ability to track and control vehicles remotely.
The technical details of the vulnerability also drew attention. Some commenters delved into the specifics of the exposed API endpoints and the lack of proper authentication. One commenter questioned why a simple username and password were used for such a critical system, highlighting the lapse in security practices.
Several commenters discussed the implications for the automotive industry and the increasing reliance on connected car technology. One user expressed concern about the security of similar systems in other car brands, suggesting that this vulnerability might be indicative of a wider problem. Another pointed out the increasing attack surface presented by connected car features and the need for improved security measures.
A few commenters praised the researcher for responsibly disclosing the vulnerability and working with Subaru to address the issue. They emphasized the importance of ethical hacking in identifying and mitigating security risks.
Finally, some commenters offered more lighthearted takes on the situation, imagining scenarios like using the vulnerability to remotely warm up their car on a cold morning.
Overall, the comments on Hacker News reflect a mixture of concern, surprise, and technical curiosity about the Subaru vulnerability. They highlight the growing importance of security in the connected car landscape and the potential consequences of overlooking critical vulnerabilities.