Security researchers Sam Curry and Shubham Shah explain in a blog post how they were able to remotely hack into the Starlink connected vehicle service run by Subaru. Specifically, they targeted software on Curry's mom's car, but the same platform operates across Subaru vehicles in the U.S., Canada, and Japan.
The same hack gave access to personal information about the driver, including their address, their billing information (though not their full credit card number), and their emergency contact. Support call history, odometer readings, and previous owners of the motor could also be accessed.
Curry and Shah managed to test out the access on a Subaru belonging to one of their friends, and it worked again—all without any kind of notification or alert to the car's driver that their vehicle was being accessed. All that was needed was a successful login to the Starlink portal and some basic driver information.
The Subaru employee portal was targeted by the hack. Credit: Sam CurryThat's a huge amount of access to features and data from a relatively simple hack. The good news is that Curry and Shah reported the vulnerability to Subaru, and the vehicle maker patched it within 24 hours—this hack is no longer possible. However, all of this data remains accessible to Subaru employees, which raises more questions.
Subaru and your data
"The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it won’t really set off any alarm bells," writes Curry. "It's part of their normal day-to-day job. The employees all have access to a ton of personal information, and the whole thing relies on trust."
Subaru employees can see where you've been via Starlink. Credit: Sam CurryYou can read the Subaru privacy policies here and here. You'll notice there's a lot of data collected about you and your vehicle via Starlink, including where it starts and stops, vehicle speeds, and diagnostic information. Use a Subaru website or app, and you're allowing access to a whole new swath of data, including data collected by the microphones and cameras on your devices.
Even worse, these policies apply to any passengers in a Subaru—Firefox developer Mozilla has a comprehensive breakdown here (note this includes Subaru's apps and website as well as Starlink). While Subaru promises not to sell your data to third-parties, and says it requires the information to improve support and detect criminal activity, it can target you with ads, communications, and promotions.
The researchers were able to get at a lot of user data. Credit: Sam CurrySubaru isn't alone among car makers when it comes to security vulnerabilities and suspect privacy policies. However, it's another reminder that extra connectivity often comes with an extra cost in terms of user data—and that any decision about which car to buy next should probably come with a look at the manufacturer's data collection policies, too.
Read More Details
Finally We wish PressBee provided you with enough information of ( This Subaru Hack Exposed Location Data and Allowed Remote Access )
Also on site :