Found this article pretty interesting. The author does note that if you work in cybersecurity, the techniques used to discover this vulnerability are nothing new but that the impact of the...
Found this article pretty interesting. The author does note that if you work in cybersecurity, the techniques used to discover this vulnerability are nothing new but that the impact of the vulnerability is. In short, there was a flaw in the account password reset logic within the admin side of Suabru's STARLINK connected vehicle system. The password reset endpoint would only ask for the account email address as well as the new password you wanted to set with no MFA confirmation code. You could simply send an HTTP request to this endpoint and it would quietly just change an account's password. There was also a flaw with Subaru's custom 2FA popup that would show up upon logging into the admin portal. The pop-up was only really a client-side barrier and removing it through your browser dev-tools would grant you full access to the portal. Once in the portal, you could see sensitive customer information like name, address, billing info as well as gain access to customer vehicle's including sending remote commands and GPS location coordinates.
As the article notes, it is interesting just how big the impact of such a flaw would be. Connected car systems rely pretty heavily on the trust of employees and a rogue employee could easily do some harm. The EU introduced legislation for vehicles produced since July 2024 to have a certain level of security with their connected vehicle systems and the US just introduced similar legislation earlier this month, though with the new admin I'm not sure if it'll remain.
Most manufacturers have only just recently started signing their CAN messages. It’s why comma AI can drive your vehicle on vehicles a few years old but doesn’t work on many newer models.
Most manufacturers have only just recently started signing their CAN messages. It’s why comma AI can drive your vehicle on vehicles a few years old but doesn’t work on many newer models.
I actually didn't know that, that's pretty interesting! Makes sense now that I think about it, I was always curious about how Comma AI was able to control vehicles like that.
I actually didn't know that, that's pretty interesting! Makes sense now that I think about it, I was always curious about how Comma AI was able to control vehicles like that.
Found this article pretty interesting. The author does note that if you work in cybersecurity, the techniques used to discover this vulnerability are nothing new but that the impact of the vulnerability is. In short, there was a flaw in the account password reset logic within the admin side of Suabru's STARLINK connected vehicle system. The password reset endpoint would only ask for the account email address as well as the new password you wanted to set with no MFA confirmation code. You could simply send an HTTP request to this endpoint and it would quietly just change an account's password. There was also a flaw with Subaru's custom 2FA popup that would show up upon logging into the admin portal. The pop-up was only really a client-side barrier and removing it through your browser dev-tools would grant you full access to the portal. Once in the portal, you could see sensitive customer information like name, address, billing info as well as gain access to customer vehicle's including sending remote commands and GPS location coordinates.
As the article notes, it is interesting just how big the impact of such a flaw would be. Connected car systems rely pretty heavily on the trust of employees and a rogue employee could easily do some harm. The EU introduced legislation for vehicles produced since July 2024 to have a certain level of security with their connected vehicle systems and the US just introduced similar legislation earlier this month, though with the new admin I'm not sure if it'll remain.
Most manufacturers have only just recently started signing their CAN messages. It’s why comma AI can drive your vehicle on vehicles a few years old but doesn’t work on many newer models.
I actually didn't know that, that's pretty interesting! Makes sense now that I think about it, I was always curious about how Comma AI was able to control vehicles like that.