- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Security researchers have discovered an arbitrary account takeover flaw in Subaru’s Starlink service that could let attackers track, control, and hijack vehicles in the United States, Canada, and Japan using just a license plate.
I refuse to comprehend why an admin override style panel is even needed for this. It’s one thing if its owned by the dealer, but if you have the title to your car, its unnecessary for your employees to need access to every customers vehicle past purchase. Once it’s been handed over, there is zero reason for a remote employee to be able to access your car remotely, paying for a service or not.
This isn’t a third party gaining access to a customers account, this is a third party gaining access to a Subaru employees account, who for some reason can access an “admin panel” that has every Subaru car in it and the ability to remote control it. That’s insane.
It might make sense to have an admin panel for account related functionality, basically do these cars still exist or have they not checked in for three years at all. Maybe an owner reset in case of auctions of vehicles by a bank or something similar. But it certainly makes no sense that someone could have access to the functionality of the car itself without at the very least locking out the current owner (via that owner reset) and thus being very noticeable.