You know, if they didn't track and connect to your car, there would be nothing to hack! Cheaper all around!
this post was submitted on 23 Jan 2025
261 points (99.2% liked)
Technology
60956 readers
3876 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
Jokes on you, my car is 20 years old
For anyone who has a Subaru and wants to get rid of this there is an aftermarket part you can install to bypass the telematics radio without losing access to any other features (if you just unplug it I think speakers stop working)
https://www.autoharnesshouse.com/69018.html
It's $80 for the one that retains the OEM head unit, but I'm thinking that might be worth it.
Now that's something I'm looking for
The Starlink system is TRRAAAAAAAAAASH.
Shit is designed like shit and crashes/freezes all the time. A pop up you have to hit AGREE on pops up every time you turn on the car and you have to wait a solid 5 seconds before you can hit it. You have NO control over the touch screen until you do so. None of the physical buttons work either. So whatever volume you had your speakers at when you turned the car off is what you get for a solid 5 seconds when you turn the car on before you can turn the speakers down. What kind of shit for brains developers/engineers were responsible for that gem?
It is categorically awful. It's really unfortunate that a bad touch screen system can basically eliminate a car for perspective buyers.
Mazda has the same pop up issue. Luckily online you can flash a program to a USB stick that lets you pick and choose infotainment hacks to apply to your car, that pop up, and the restrictions on using the touch screen when moving along them, and then you just plug it into the car and it auto applies.
Are there any car infotainment systems that aren't complete shit?
I bought a Subaru over 10 years ago and I didn't give the infotainment part enough scrutiny when checking it out. I love the way the car drives, but anything dealing with the radio just pisses me off. I don't even have Starlink.
I have a 9-year old Subaru I bought used, first thing I did was trash the "radio" and replace it with an iDoing chinese Android head unit.
It's not super polished, but much better than the trash Subaru put on it. The good thing they did was NOT integrate it into the car too much, so replacing it meant losing no functionality at all.
Are there any car infotainment systems that aren't complete shit?
Absolutely.
The infotainment system in my car consists of a glass-mount phone holder that turns the in-panel display from a worthless piece of glass into a convenient spot to rest my phone while I drive. A+, 10/10, would highly recommend.
(I did mount it on the corner of the display, but I don't actually use the built-in system. Haven't even bothered to get the backup camera replaced since it stopped working.)
The scary part to me (noted in the article as well) is less the technical hack but more so the amount of data they are collecting.
Subaru had/has an ongoing issue where the telematics drains the battery while the car is parked, especially if it’s parked out of reach of cell towers. With the amount of data they are sending, it’s not surprising.
There is no need for the car to report its position whatsoever unless I request assistance.
At 38C3, there was a talk about Volkswagen - a German car manufacturer - that didn’t correctly secure the data it collected from its vehicles and what you can „learn“ from this data. The talk can be found here, it’s in German but there’s also an English translation in another audio layer
https://media.ccc.de/v/38c3-wir-wissen-wo-dein-auto-steht-volksdaten-von-volkswagen
Simply removing the two-factor auth element which does nothing to access the main page underneath. I do that shit with newspaper paywalls. That is wild.
Also having a script in there that just resets a password no questions asked. WTF is going on with modern software development? It isn't just Subaru. It's almost everything in the last 15 years. Behind all the pretty lipstick, IT systems are jankier than ever.
For any aspiring programmers, remember, never ever assume the user is rational, expecting them to follow the rules. At least half of your user data-handling code should be validation and sanity checks. Code defensively.
That password reset looked to be like step four of something. So it's a business logic bypass. Still awful of course but slightly more understandable given other ways this vulnerability could have been introduced. The cool part was detecting all the steps completely blackbox because everything was in the Javascript.
There is no excuse for issuing a valid token before mfa succeeds though. That is negligent.
WTF is going on with modern software development?
Lowest bidder.
Now add AI in the mix :)
even worse, it's a joke, but it's true, the proof of concept is often also the final product
Trust no-one, not even yourself.
Subaru data opt out page from the eff:
https://www.subaru.com/support/consumer-privacy.html
No idea if they respect it, but its a good idea regardless.
Best case: It actually opts you out.
Worst case: They ignore it, and you've only supplied them with info they already have.
I’m glad Starlink doesn’t work anymore on my older Subaru since it used 3G cell towers. To be specific, if any of you got a pre 2020 Outback, then you should not have to worry about this. I had a battery issue and the reason why is because my car was constantly searching for the towers and draining it. I ended up getting a free battery out of that ordeal though.
They will now replace the Starlink module free of charge under a recall. Your battery will keep dying unless you either replace the module or remove the fuse that activated the thing.
They told me specifically that they didn’t replace it. I told them not to.
Well sure...they won't replace it unless you want them to...it's your car. But what I mean to say is that they can replace it under warranty now and if you don't replace it you will keep losing batteries. That's what happened with my 2018 Outback (I went through a battery every 3-6 months for 3 years).
I only had this battery replacement last year. My previous battery actually still worked okish when they replaced it, but they said they would replace it for me for free. It was almost 7 years old when I had it replaced.
Here's the list. Looks likes its mainly models up to 2018. Your 2020 is likely still affected.
Mine is an 18.
Something similar was found on another system by a certain Korean carmaker and silently patched. I'm positive these types of systems will all be exploited more in the future, and need to be completely overhauled. Cars should not be reachable entities on any sort of network, especially one without proper IAC restrictions. They should be consumers of said information at best, but even that will eventually be impersonated somehow. We have the potential for turnkey system with all the damn devices running around that can be used as a 3-key-minimum system to ensure proper identity, but that would be giving consumers TOO MUCH CONTROL 🤣