Subaru Starlink: Difference between revisions
m improve references with additional information |
mNo edit summary |
||
| (One intermediate revision by one other user not shown) | |||
| Line 8: | Line 8: | ||
}} | }} | ||
== | ==Consumer impact summary== | ||
{{Ph-C-CIS}} | |||
Starlink is a connectivity service equipped on most modern Subaru vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" /> | Starlink is a connectivity service equipped on most modern Subaru vehicles, enabling extensive data collection from the vehicle and its occupants. The service has faced significant criticism and legal challenges over privacy concerns related to its data-collection and -sharing practices.<ref name="MozillaReview" /> | ||
== | ===Starlink app exploit (''2025'')=== | ||
The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with javascript the hacker found an employee email off linkedin and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with javascript. | The exploit was achieved by intercepting the Starlink app's network requests which revealed the admin portal login screen. Using the "Reset password" feature of the admin portal which was hidden with javascript the hacker found an employee email off linkedin and successfully managed to login to the admin portal. Although implementing 2FA this too was entirely client-side and the modal window blocking further interaction without verification could also be hidden with javascript. | ||
Inside the admin portal any employee had access to a range of personal information, largely comprised of the personal information listed below. Additionally the employee the hacker had login as had level 2 access allowing them to remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car. | Inside the admin portal any employee had access to a range of personal information, largely comprised of the personal information listed below. Additionally the employee the hacker had login as had level 2 access allowing them to remotely lock, unlock, honk, issue speeding warnings and more which they demonstrated on their own and a friend's Subaru car. | ||
The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01<ref>{{Cite web |last=Curry |first=Sam |date=23 Jan 2025 |title=Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel |url=https://samcurry.net/hacking-subaru |access-date=2025-02-19 |website=samcurry.net}}</ref> | The incident was initially ethically disclosed to Subaru on 24-20-11 with a blog post detailing the exploit released on 25-23-01.<ref>{{Cite web |last=Curry |first=Sam |date=23 Jan 2025 |title=Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel |url=https://samcurry.net/hacking-subaru |access-date=2025-02-19 |website=samcurry.net}}</ref> | ||
==Data collection== | ==Data collection== | ||
| Line 107: | Line 108: | ||
<references /> | <references /> | ||
[[Category: | [[Category:{{PAGENAME}}]] | ||