As vehicles increasingly integrate advanced technology and internet connectivity, they are becoming more vulnerable to cybersecurity threats. A recent vulnerability in Subaru’s Starlink system highlights the risks consumers face. This incident is part of a broader issue affecting the automotive industry, where connected car systems can be exploited, leading to privacy breaches, financial loss, and even physical danger.
The Subaru Starlink Vulnerability
Security researchers recently discovered a major vulnerability in Subaru’s Starlink service that could have allowed hackers to take control of vehicles and access sensitive customer data.
Using just a license plate and basic details like the owner’s last name or email address, attackers could exploit the system in several alarming ways. They could remotely start or stop the car, lock and unlock its doors, and track the vehicle’s real-time location. Additionally, they could extract personally identifiable information (PII), including emergency contacts, billing details, and the vehicle’s PIN. Perhaps most concerning, hackers could access precise location data spanning over a year, with accuracy within five meters, enabling them to build a detailed profile of the victim’s movements.
The vulnerability stemmed from weaknesses in the Starlink admin portal, such as an insecure password reset API endpoint and insufficient protection against two-factor authentication (2FA) bypass. Although Subaru quickly patched the flaw within 24 hours of its discovery, the incident highlights a critical failure in securing connected car systems.
The Broader Implications For Automotive Cybersecurity
Subaru’s case is not isolated. Other automakers have faced similar vulnerabilities, such as a flaw in Kia’s dealer portal that allowed hackers to locate and steal vehicles using their license plates. These examples reveal systemic issues in the design and deployment of connected car systems, including:
- Weak authentication makes it easier for attackers to break into sensitive systems.
- Centralized systems store large amounts of sensitive user and vehicle data, making breaches more likely.
- Many connected car platforms do not encrypt data properly, leaving it vulnerable during transmission.
- Poor integration with third-party apps and portals creates security gaps.
- Automakers often take too long to find and fix vulnerabilities, leaving vehicles exposed for longer than necessary.
Beyond the Subaru and Kia incidents, connected cars face a host of cybersecurity challenges. Hackers can remotely hijack vehicle functions, posing serious safety risks, or steal personal and financial data stored in onboard systems. Ransomware attacks could render vehicles unusable, while GPS spoofing might mislead drivers or aid in theft. Even compromised infotainment systems can leak sensitive information or spread malware to connected devices.
How Consumers Can Protect Themselves
Although automakers bear the primary responsibility for securing their systems, consumers can take proactive steps to protect themselves from vehicle cybersecurity threats:
· Regularly check for and apply updates to the car’s firmware or connected apps. Automakers often release patches to address vulnerabilities.
· Use multi-factor authentication (MFA) wherever possible for connected car accounts and associated apps. Avoid default or weak passwords.
· Only share necessary information when using connected car services. Avoid linking excessive personal data to vehicle systems.
· Turn off unnecessary connectivity features like remote start or location sharing if they are not actively used.
· Protect SIM card and phone accounts associated with the car.
· Avoid accessing connected car systems over public Wi-Fi networks. Use a virtual private network (VPN) if needed.
· Vet third-party apps for security and only download from trusted sources. Avoid granting unnecessary permissions.
· Employ traditional security measures like steering wheel locks or GPS trackers as a backup against cyber threats.
Read the full article here
