Curry and Shah reported their findings to Subaru in late November, and Subaru quickly patched Starlink’s security flaws. But the researchers cautioned that the Subaru web vulnerabilities are just the latest in a long series of similar web-based flaws that they and other security researchers have found. worked with them affecting more than a dozen manufacturers, including Acura, Genesis, Honda, Hyundai , Infiniti, Kia, Toyota, and others. There is little doubt, they say, that similarly serious hackable bugs exist in other car companies’ web tools that have yet to be discovered.

In the case of Subaru, in particular, they also pointed out that their discovery shows how widely those with access to Subaru’s portal can track the movements of its customers, a privacy issue that lasts longer than web vulnerabilities that expose it. “The thing is, even if it’s fixed, this functionality will still continue for Subaru employees,” Curry said. “It’s normal use that an employee is able to get a year’s worth of your location history.”

When WIRED contacted Subaru for comment on Curry and Shah’s findings, a spokesperson responded with a statement that “after being notified by independent security researchers, (Subaru) discovered a vulnerability in Starlink service that may allow third parties to access Starlink accounts. The vulnerability is immediately closed and no customer information is accessed without permission. “

A Subaru spokesperson also confirmed to WIRED that “there are Subaru of America employees, based on their employment relationship, who can access location data.” The company offered as an example that employees have that access to share the location of a vehicle with first responders in the case when a collision is detected “All these individuals receive properly trained and required to sign appropriate privacy, security, and NDA agreements when necessary,” Subaru’s statement “These systems have security monitoring solutions that are continuously evolving to meet the modern cyber threats.”

Responding to Subaru’s example of notifying first responders about a collision, Curry says it hardly takes a year’s worth of location history. The company did not respond to WIRED’s question about how far it kept customers’ location histories and made them available to employees.

Shah and Curry’s research that led them to the discovery of Subaru’s vulnerabilities began when they found that Curry’s mother’s Starlink app was connected to the domain SubaruCS.com, which they realized was an administrative domain for employees. Checking the site for security flaws, they found they could reset employees’ passwords just by guessing their email address, giving them the ability to take over anyone’s account. employee whose email they can find. The password reset functionality asked for answers to two security questions, but they found that those answers were checked using code running in a user’s local browser, not on Subaru’s server, which allowed the protection that can be easily bypassed. “There were a lot of systemic failures that led to this,” Shah said.

The two researchers said they found the email address for a Subaru Starlink developer on LinkedIn, took over the employee’s account, and immediately found they could use the employee’s access to find even who owns Subaru by last name, zip code, email address, phone. number, or license plate to access their Starlink configurations. In seconds, they can reassign control of Starlink features to the user’s car, including the ability to remotely unlock the car, honk its horn, start its ignition, or locate it, as shown in the video below.