Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/briankrebs/statuses/113878010929728488">BrianKrebs (briankrebs@infosec.exchange)'s status on Thursday, 23-Jan-2025 23:00:59 JST</a><a href="https://infosec.exchange/@briankrebs" title="briankrebs@infosec.exchange"><img src="https://gnusocial.jp/avatar/21764-48-20231108132353.webp" width="48" height="48" alt="BrianKrebs" style="position: absolute; left: 0; top: 0;">BrianKrebs</a></section><article><p>Some fascinating research out on hacking a Subaru via STARLINK connected vehicle service. </p><p>"On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK connected vehicle service that gave us unrestricted targeted access to all vehicles and customer accounts in the United States, Canada, and Japan.</p><p>Using the access provided by the vulnerability, an attacker who only knew the victim’s last name and ZIP code, email address, phone number, or license plate could have done the following:</p><p>Remotely start, stop, lock, unlock, and retrieve the current location of any vehicle.</p><p>Retrieve any vehicle’s complete location history from the past year, accurate to within 5 meters and updated each time the engine starts.</p><p>Query and retrieve the personally identifiable information (PII) of any customer, including emergency contacts, authorized users, physical address, billing information (e.g., last 4 digits of credit card, excluding full card number), and vehicle PIN.</p><p>Access miscellaneous user data including support call history, previous owners, odometer reading, sales history, and more.</p><p>After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously."</p><p><a href="https://samcurry.net/hacking-subaru#introduction" rel="nofollow">https://samcurry.net/hacking-subaru#introduction</a></p><p><a href="https://infosec.exchange/tags/cars" rel="tag">#cars</a> <a href="https://infosec.exchange/tags/security" rel="tag">#security</a> <a href="https://infosec.exchange/tags/subaru" rel="tag">#subaru</a> @starlink</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4432455#notice-8671889">In conversation</a><time datetime="2025-01-23T23:00:59+09:00" title="Thursday, 23-Jan-2025 23:00:59 JST">about 8 days ago</time> <span>from <span><a href="https://infosec.exchange/@briankrebs/113878010929728488" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@briankrebs/113878010929728488">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: samcurry-fzc7x4yr9-sam-currys-projects.vercel.app</div><h5><a href="https://samcurry.net/hacking-subaru#introduction#cars">Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel</a></h5><div></div></header><div>On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United States, Canada, and Japan.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
BrianKrebs (briankrebs@infosec.exchange)'s status on Thursday, 23-Jan-2025 23:00:59 JST BrianKrebs
Some fascinating research out on hacking a Subaru via STARLINK connected vehicle service.
"On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK connected vehicle service that gave us unrestricted targeted access to all vehicles and customer accounts in the United States, Canada, and Japan.
Using the access provided by the vulnerability, an attacker who only knew the victim’s last name and ZIP code, email address, phone number, or license plate could have done the following:
Remotely start, stop, lock, unlock, and retrieve the current location of any vehicle.
Retrieve any vehicle’s complete location history from the past year, accurate to within 5 meters and updated each time the engine starts.
Query and retrieve the personally identifiable information (PII) of any customer, including emergency contacts, authorized users, physical address, billing information (e.g., last 4 digits of credit card, excluding full card number), and vehicle PIN.
Access miscellaneous user data including support call history, previous owners, odometer reading, sales history, and more.
After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously."
https://samcurry.net/hacking-subaru#introduction
#cars #security #subaru @starlink
In conversationabout 8 days ago from infosec.exchangepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: samcurry-fzc7x4yr9-sam-currys-projects.vercel.app
  Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel
  On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United States, Canada, and Japan.

Public

Embed Notice

HTML Code

Corresponding Notice