Simply removing the two-factor auth element which does nothing to access the main page underneath. I do that shit with newspaper paywalls. That is wild.
Also having a script in there that just resets a password no questions asked. WTF is going on with modern software development? It isn’t just Subaru. It’s almost everything in the last 15 years. Behind all the pretty lipstick, IT systems are jankier than ever.
For any aspiring programmers, remember, never ever assume the user is rational, expecting them to follow the rules. At least half of your user data-handling code should be validation and sanity checks. Code defensively.
deleted by creator
Now add AI in the mix :)
even worse, it’s a joke, but it’s true, the proof of concept is often also the final product
That password reset looked to be like step four of something. So it’s a business logic bypass. Still awful of course but slightly more understandable given other ways this vulnerability could have been introduced. The cool part was detecting all the steps completely blackbox because everything was in the Javascript.
There is no excuse for issuing a valid token before mfa succeeds though. That is negligent.
Subcontracted to Indian, Ucranian and other low income countries. You get what you pay for.
Ukrainian devs are top notch, to be fair. Outsourcing to there is not an issue.
For anyone who has a Subaru and wants to get rid of this there is an aftermarket part you can install to bypass the telematics radio without losing access to any other features (if you just unplug it I think speakers stop working)
https://www.autoharnesshouse.com/69018.html
It’s $80 for the one that retains the OEM head unit, but I’m thinking that might be worth it.
Now that’s something I’m looking for
The Starlink system is TRRAAAAAAAAAASH.
Shit is designed like shit and crashes/freezes all the time. A pop up you have to hit AGREE on pops up every time you turn on the car and you have to wait a solid 5 seconds before you can hit it. You have NO control over the touch screen until you do so. None of the physical buttons work either. So whatever volume you had your speakers at when you turned the car off is what you get for a solid 5 seconds when you turn the car on before you can turn the speakers down. What kind of shit for brains developers/engineers were responsible for that gem?
It is categorically awful. It’s really unfortunate that a bad touch screen system can basically eliminate a car for perspective buyers.
Just a couple corrections. I have a '24 WRX and the volume knob and physical buttons work when the pop-up is in screen; they work immediately when I start the car. There’s only temperature up and down and front and rear defrosters, so not exactly a lot.
Also, prospective not perspective.
I generally agree, hate the pop-up, hate the touchscreen, but when it’s the only option it’s kinda like, okay then.
You know, if they didn’t track and connect to your car, there would be nothing to hack! Cheaper all around!
But what’s the fun in that?
Jokes on you, my car is 20 years old
Joke on you, my car is a cargo bike.
Nothing is connected, but at least I move only what’s needed, but a fuckton a steel just to get my ass slightly faster to my destination.
The scary part to me (noted in the article as well) is less the technical hack but more so the amount of data they are collecting.
Subaru had/has an ongoing issue where the telematics drains the battery while the car is parked, especially if it’s parked out of reach of cell towers. With the amount of data they are sending, it’s not surprising.
There is no need for the car to report its position whatsoever unless I request assistance.
At 38C3, there was a talk about Volkswagen - a German car manufacturer - that didn’t correctly secure the data it collected from its vehicles and what you can „learn“ from this data. The talk can be found here, it’s in German but there’s also an English translation in another audio layer
https://media.ccc.de/v/38c3-wir-wissen-wo-dein-auto-steht-volksdaten-von-volkswagen
I’m glad Starlink doesn’t work anymore on my older Subaru since it used 3G cell towers. To be specific, if any of you got a pre 2020 Outback, then you should not have to worry about this. I had a battery issue and the reason why is because my car was constantly searching for the towers and draining it. I ended up getting a free battery out of that ordeal though.
They will now replace the Starlink module free of charge under a recall. Your battery will keep dying unless you either replace the module or remove the fuse that activated the thing.
They told me specifically that they didn’t replace it. I told them not to.
Well sure…they won’t replace it unless you want them to…it’s your car. But what I mean to say is that they can replace it under warranty now and if you don’t replace it you will keep losing batteries. That’s what happened with my 2018 Outback (I went through a battery every 3-6 months for 3 years).
I only had this battery replacement last year. My previous battery actually still worked okish when they replaced it, but they said they would replace it for me for free. It was almost 7 years old when I had it replaced.
Why are you pushing this guy to replace the non-working spy unit with a WORKING spy unit?
Actually I gave them two ways to eliminate the parasitic drain: replace with a working spy unit or disconnect the non working spy unit (the status quo would leave them with continuously dying batteries).
Plus, let’s be real: the chances that anyone cares about any one person’s location is slim to none (barring political figures, billionaires, and celebrities). If you are worried about the mass collection of people’s locations, dropping one person off the Subaru map will have zero impact. Taking away a Subaru data point does not do anything about cell phone GPS, cell tower triangulation, EZ-Pass tracking, traffic cameras, or licence plate tracking (and those are just the car based tracking systems off the top of my head).
Subaru data opt out page from the eff:
https://www.subaru.com/support/consumer-privacy.html
No idea if they respect it, but its a good idea regardless.
I filed it and completely forgot. 3-4 months later I got an email letting me know I was removed.
