Yet Another App Hack
In recent years, the user 'experience' has been treated as having much more importance than security. This has been evidenced by the number of successful attacks there has been with consumer goods and services. This has been prevalent with vehicle security as noted with the number of attacks based on loosely coded apps where security had not been put in place. In a recent case, the target was a Subaru WRX STI. This vehicle has the Starlink web app allowing the owner access to the vehicle via unlocking the door, and other activities. This distinct attack works with other Subaru models, 2017 model year and later with the Starlink installed.
An exceptionally common attack point with vehicles has been the communication link with the user and application. This has not had the attention paid to it that should have been. The Starlink is no different, unfortunately. The focus here has been with the communication between the web application and the service’s server. This is not singled out for any specific smart phone platform, as the attack is applicable to both the iPhone and Android smart phones.
This vulnerability allows the unauthorized attacker to lock/unlock the doors, turn off/on the lights, honk the horn, and access the vehicle’s prior locations (Kirk, 2017). These and other permutations were part of the eight vulnerabilities noted by the researcher (Abel, 2017). The issue revolves around Starlink. Starlink, much like any other application, authenticates the user. The problem involves the token being used with the authentication process. This is randomly generated, however the token after this is not changed. Even when the user were to update their password for this application, the token would still not change. The token also is not appropriately secured. The mobile application forwards this via the URL in the clear, and in addition the token is cached. No other verification was needed. This application does not however have access to the systems in the vehicle which would be critical to the operations (e.g. vehicle’s brakes, steering apparatus, and speed).
With this information, the attacker was able to place additional persons as users on the Starlink account attached to the vehicle. Thus the actual owner of the vehicle has new users attached to the account, without his/her knowledge, as the owner is completely out of the loop as it relates to this addition. The newly minted users attached to the vehicle’s account had the same rights and access as the car owner.
In order to capture the token, paramount for the attack, the researcher coded a cross-site scripting (XSS) vulnerability. This would require the user to interact with the source code from another app in the web application that would normally be used.
This is not the easiest attack available. The user has to click on the malicious content/link. This did complicate the attack. This has been proven to be effective, but only does provide a speed bump to a successful attack.
The researchers, in general, finding the bugs have two primary options. There is the responsible route to inform the target of the issue and work with the vendor/target of the issue(s), or publish the issue prior to allowing the engineers sufficient time to fix the issue. The result and decision are based on personal motivations, environment, and prior experience with the vendor. In this case, the issue was reported to Subaru in February 2017. The researcher, to ensure this was patched did monitor the patching progress.
At times, people have been prone to focus on convenience instead of analyzing the effects due to a lack of applied security. In vehicles, this is becoming more of an issue and receiving much more focus as we move steadily towards the autonomous vehicle being viable and on the roads in vast numbers. To consumers, the lack of security at certain points may appear to be fine and provides no discernible issues at the time. In the rare case when the user clicks in an area or on a link within the web application, there can be significant issues. With security build and designed in from the beginning, the issues would be fewer and much easier to patch.
Abel, R. (2017, June 5). Subaru WRX STI hacked, eight vulnerabilities spotted. Retrieved from https://www.scmagazine.com/researcher-hacks-subaru-wrx-sti-starlink/article/666460/
Ilascu, I. (2017, June 8). Researcher finds basic mistakes in subaru’s starlink service. Retrieved from https://www.bitdefender.com/box/blog/iot-news/starlink-service/
Kirk, J. (2017, June 5). Exclusive: Vulnerabilities could unlock brand-new subarus. Retrieved from http://www.bankinfosecurity.com/exclusive-vulnerabilities-could-unlock-brand-new-subarus-a-9970
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.