On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United States, Canada, and Japan.
Something similar was found on another system by a certain Korean carmaker and silently patched. I’m positive these types of systems will all be exploited more in the future, and need to be completely overhauled. Cars should not be reachable entities on any sort of network, especially one without proper IAC restrictions. They should be consumers of said information at best, but even that will eventually be impersonated somehow. We have the potential for turnkey system with all the damn devices running around that can be used as a 3-key-minimum system to ensure proper identity, but that would be giving consumers TOO MUCH CONTROL 🤣
Something similar was found on another system by a certain Korean carmaker and silently patched. I’m positive these types of systems will all be exploited more in the future, and need to be completely overhauled. Cars should not be reachable entities on any sort of network, especially one without proper IAC restrictions. They should be consumers of said information at best, but even that will eventually be impersonated somehow. We have the potential for turnkey system with all the damn devices running around that can be used as a 3-key-minimum system to ensure proper identity, but that would be giving consumers TOO MUCH CONTROL 🤣