 |
|
|
|||||
Subaru left open a gaping security flaw that, although patched, lays bare modern vehicles myriad privacy issues. Security researchers Sam Curry and Shubham Shah reported their findings (via Wired) about an easily hacked employee web portal. After gaining access, they were able to remotely control a test vehicle and view a years worth of location data. They warn that Subaru is far from alone in having lax security around vehicle data. After the security analysts notified Subaru, the company quickly patched the exploit. Fortunately, the researchers say less-than-ethical hackers hadnt breached it before then. But they say authorized Subaru employees can still access owners location history with only a single piece of the following information: the owners last name, zip code, email address, phone number or license plate. Engadget emailed Subaru for comment, and well update this story if we hear back. The hacked admin portal was part of Subarus Starlink suite of connectivity features. (No relation to the SpaceX satellite internet service of the same name.) Curry and Shah got in by finding a Subaru Starlink employees email address on LinkedIn and resetting the workers password after bypassing two required security questions because it took place in the end users web browser, not Subarus servers. They also bypassed two-factor authentication by doing the simplest thing that we could think of: removing the client-side overlay from the UI. Although the researchers tests traced the test vehicles location back one year, they cant rule out the possibility that authorized Subaru employees can snoop back even farther. Thats because the test car (a 2023 Subaru Impreza Curry bought for his mother on the condition that he could hack it) had only been in use for about that long. The location data wasnt generalized to some broad swath of land, either: It was accurate to less than 17 feet and updated each time the engine started. After searching and finding my own vehicle in the dashboard, I confirmed that the Starlink admin dashboard should have access to pretty much any Subaru in the United States, Canada, and Japan, Curry wrote. We wanted to confirm that there was nothing we were missing, so we reached out to a friend and asked if we could hack her car to demonstrate that there was no pre-requisite or feature which wouldve actually prevented a full vehicle takeover. She sent us her license plate, we pulled up her vehicle in the admin panel, then finally we added ourselves to her car. In addition to tracking their location, the admin portal allowed the researchers to remotely start, stop, lock and unlock any Starlink-connected Subaru vehicle. They said Currys mother never received notifications that they had added themselves as authorized users, nor did she receive alerts when they unlocked her car. They could also query and retrieve personal information for any customer, including their emergency contacts, authorized users, home address, the last four digits of their credit card and vehicle PIN. In addition, they were able to access the owners support call history and the vehicles previous owners, odometer reading and sales history. The security researchers say the tracking and security failures stemming from the ability of a single employee to access a ton of personal information are hardly unique to Subaru. Wired notes that Curry and Shahs previous work exposed similar flaws affecting vehicles from Acura, Genesis, Honda, Hyundai, Infiniti, Kia, Toyota and others. The pair believes theres reason for serious concern about the industrys location tracking and poor security measures. The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it wont really set off any alarm bells, Curry wrote. Its part of their normal day-to-day job. The employees all have access to a ton of personal information, and the whole thing relies on trust. It seems really hard to really secure these systems when such broad access is built into the system by default. The researchers full report is worth a read.This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/subarus-poor-security-left-troves-of-vehicle-data-easily-accessible-182514123.html?src=rss
Category:
Marketing and Advertising
The Samsung Galaxy Ring is on sale for $280 via Amazon. This represents a discount of $120, though the promotion doesnt show up until checkout. Just pop the ring in your Amazon basket and start the checkout process to peep the discount. We were fairly positive about Samsungs first smart ring in our official review, calling it a surprisingly informative health-tracking device for those with compatible Samsung phones. We came away impressed by the comfort-forward design, which doesnt impede sleeping, writing that we barely feel it when trying to snooze. This is a boon for light sleepers. The health-tracking metrics are on point, especially when you consider that theres a new software update that uses compatible SmartThings devices to create a sleep environment report that takes factors like temperature, humidity, air quality and light intensity into account. Samsungs app lets users adjust any connected devices to improve local conditions. The major downside with the Galaxy Ring is the price, which has been somewhat alleviated by this sale. At least now its slightly lower than the rival Oura Ring. This is a great wearable for those already tied into the Samsung ecosystem, but not the best fit for everyone else. Some of the features require a Samsung phone. Follow @EngadgetDeals on Twitter and subscribe to the Engadget Deals newsletter for the latest tech deals and buying advice.This article originally appeared on Engadget at https://www.engadget.com/deals/the-samsung-galaxy-ring-is-on-sale-for-120-off-174530918.html?src=rss
Category:
Marketing and Advertising
The Academy of Motion Picture Arts and Sciences has announced this years Oscar nominees and Netflixs Emilia Pérez leads the pack with 13. The musical crime drama has broken the record for the most nods for non-English language film, overtaking Crouching Tiger, Hidden Dragon and Roma (Netflix's first-ever best picture nominee), which each had 10. Emilia Pérez scored nominations in the categories of best picture, international feature, supporting actress, cinematography, directing, editing, makeup and hairstyling, original score, original song (with two in that category), sound, adapted screenplay and best actress. That last one has extra significance as Karla Sofía Gascón is the first openly trans performer to earn an acting nomination. Although Elliot Page received a nomination for Juno in 2008, that was long before the actor transitioned. (Curiously, I Saw The TV Glow, which has been praised for its abstruse portrayal of trans experiences, is nowhere to be found among this year's nominees.) Netflix had the most nominations of any distributor for the second year in a row. An animated feature film nod for Wallace & Gromit: Vengeance Most Fowl, documentary short The Only Girl in the Orchestra and original song nominee Diane Warren (for The Journey from The Six Triple Eight) took Netflix's tally to 16. Perhaps Warren will finally win an Oscar this year at her 16th time of asking. Mubi, another streaming company, has six nominations this year, including five for the body horror film The Substance. Meanwhile, Disney+ scored one for Elton John and Brandi Carlile's song Never Too Late from the documentary Elton John: Never Too Late. This year's best picture nominees are Anora, The Brutalist, A Complete Unknown, Conclave, Dune: Part 2, Emilia Pérez, Im Still Here, Nickel Boys, The Substance and Wicked. You can find out the winners of this year's Academy Awards when the ceremony takes place on March 2, with the wonderful Conan O'Brien taking on hosting duties.This article originally appeared on Engadget at https://www.engadget.com/entertainment/tv-movies/netflixs-emilia-perez-breaks-new-ground-with-its-oscar-nominations-173223767.html?src=rss
Category:
Marketing and Advertising
All news |
||||||||||||||||||
|
||||||||||||||||||