A determined duo of security experts recently revealed severe security flaws in a Starlink-connected infotainment system used in a major car brand which put millions of vehicles at potential risk of hacking. The security flaws could affect vehicle functions and exposed serious data privacy and security deficiencies that would make nearly any vehicle owner’s jaw drop. Getting in a car can have unnerving undertones knowing some of this stuff.
The security researcher started his investigation when he bought a car specifically with the intention of digging deep into any potential cyber-related flaws. Together with a fellow security researcher, he eventually began meticulously examining the internet-connected features of the vehicle. Upon significant sifting, they found a vehicle employee web portal that had multiple vulnerabilities allowing them to literally take remote control of some of the vehicle’s operations. That’s right – a stranger could control the car. They gained power over the vehicle to unlock it, honk its horn, and even start the ignition. That introduces physical safety concerns let alone audible-related troubles and potential exhaust incidents.
But probably the most unsettling find was their successful access to detailed location data. The Starlink-equipped vehicles had a system flaw that allowed them to collect at least one year of location history for lots of vehicles. The gathered location data showed detailed records of the car’s movements including its parking spots, visits to friends’ houses and even what were clearly medical appointments. The researchers highlighted how that kind of data could be harnessed to track people and even start extortion opportunities. Scary stuff to say the least.
It’s What an Organization Doesn’t Know
Systemic flaws within the administrative web application almost certainly leads to this type of vulnerability. It was discovered that employees used a subdomain that had some vulnerabilities in the JavaScript files of the system, which ultimately enabled them to reset passwords by guessing email addresses. The client-side code implementation failed to properly protect two-factor authentication and security questions, which allowed for easy circumvention of the car manufacturer’s systems. The attackers simply used publicly available employee info from sites such as LinkedIn to gain control of an account and enter the admin panel.
They gained permission to search for vehicles and customers through basic identifiers such as last name or ZIP code from the admin portal – and since the system allowed unauthorized access to modify Starlink feature permissions, remote control of vehicles was possible. The system didn’t alert car owners to the potential breaches, so they remained completely ignorant of the existing threats.
It was pointed out that similar problems remain present throughout the automotive industry even after this specific manufacturer quickly fixed the issues following notification. The research team alongside their partners found similar system weaknesses in multiple major vehicle manufacturers within the last two years, with this incident standing out because it exposed just how much personal information automotive companies actually possess.
Continual Visibility Required for Web Application Security
The potential to access up to one year of location history clearly creates major privacy issues. Afterall, who thinks a car company is watching their unique driving habits? Experts believe the practice of keeping large logs poses greater dangers than advantages particularly when security systems prove insufficient. The identified weaknesses in the system illustrate concerning patterns regarding how the automotive sector currently manages data privacy. Equipped with Internet connectivity, cameras and microphones, modern vehicles transform into sophisticated devices for massive amounts of data retention.
The car manufacturer did take the right steps by quickly fixing the web application security vulnerabilities and communicating with customers through a statement. And the business maintained that all customer data remained secure from unauthorized entry while emphasizing that their data gathering methods are essential for emergency services and retrieving stolen cars. The unclear details about how long data is kept and what types of data gets stored generates legitimate concerns, however.
This incident underscores the need for constant vigilance as cars and trucks evolve from simple transportation to complex data-processing machines. Who knows how many other car manufacturers still have undetected web app vulnerabilities – ticking time bombs waiting to be exploited? That’s why securing web applications isn’t just important – it’s critical to protecting drivers and their data.
Verimatrix XTD for Web Helps Fortify Major Web Portals
Verimatrix XTD for Web provides organizations with robust protection for the websites and web applications that employees in the automotive industry and beyond rely on daily. As recent incidents have shown, web app vulnerabilities aren’t just theoretical—they’re real threats that can put both drivers and data at risk, creating a highway to hack for cybercriminals.
XTD for Web works behind the scenes to continuously monitor websites and applications, uncovering blind spots to ensure ongoing code protection, compliance, and data integrity—all without sacrificing performance or user experience.
Third-party scripts often enhance website functionality, but they also introduce hidden risks. XTD for Web identifies these vulnerabilities by maintaining a detailed inventory of scripts and monitoring their activity, ensuring organizations stay ahead of potential threats before they become full-blown security crises.
XTD for Web uniquely allows organizations to:
- Keep code secure with cutting-edge security measures
- Use advanced obfuscation to prevent reverse engineering
- Lock code to prevent unauthorized code execution
- Install monitoring via a one-click process
- Protect sensitive data and comply with industry standards
- Prevent data loss and secure sensitive user data
- Receive real-time alerts of suspicious activity
To learn about XTD for Web, take a look at this page.
Commentary
Highway to Hack: How Web App Flaws Put Drivers in Danger
Table of Contents
A determined duo of security experts recently revealed severe security flaws in a Starlink-connected infotainment system used in a major car brand which put millions of vehicles at potential risk of hacking. The security flaws could affect vehicle functions and exposed serious data privacy and security deficiencies that would make nearly any vehicle owner’s jaw drop. Getting in a car can have unnerving undertones knowing some of this stuff.
The security researcher started his investigation when he bought a car specifically with the intention of digging deep into any potential cyber-related flaws. Together with a fellow security researcher, he eventually began meticulously examining the internet-connected features of the vehicle. Upon significant sifting, they found a vehicle employee web portal that had multiple vulnerabilities allowing them to literally take remote control of some of the vehicle’s operations. That’s right – a stranger could control the car. They gained power over the vehicle to unlock it, honk its horn, and even start the ignition. That introduces physical safety concerns let alone audible-related troubles and potential exhaust incidents.
But probably the most unsettling find was their successful access to detailed location data. The Starlink-equipped vehicles had a system flaw that allowed them to collect at least one year of location history for lots of vehicles. The gathered location data showed detailed records of the car’s movements including its parking spots, visits to friends’ houses and even what were clearly medical appointments. The researchers highlighted how that kind of data could be harnessed to track people and even start extortion opportunities. Scary stuff to say the least.
It’s What an Organization Doesn’t Know
Systemic flaws within the administrative web application almost certainly leads to this type of vulnerability. It was discovered that employees used a subdomain that had some vulnerabilities in the JavaScript files of the system, which ultimately enabled them to reset passwords by guessing email addresses. The client-side code implementation failed to properly protect two-factor authentication and security questions, which allowed for easy circumvention of the car manufacturer’s systems. The attackers simply used publicly available employee info from sites such as LinkedIn to gain control of an account and enter the admin panel.
They gained permission to search for vehicles and customers through basic identifiers such as last name or ZIP code from the admin portal – and since the system allowed unauthorized access to modify Starlink feature permissions, remote control of vehicles was possible. The system didn’t alert car owners to the potential breaches, so they remained completely ignorant of the existing threats.
It was pointed out that similar problems remain present throughout the automotive industry even after this specific manufacturer quickly fixed the issues following notification. The research team alongside their partners found similar system weaknesses in multiple major vehicle manufacturers within the last two years, with this incident standing out because it exposed just how much personal information automotive companies actually possess.
Continual Visibility Required for Web Application Security
The potential to access up to one year of location history clearly creates major privacy issues. Afterall, who thinks a car company is watching their unique driving habits? Experts believe the practice of keeping large logs poses greater dangers than advantages particularly when security systems prove insufficient. The identified weaknesses in the system illustrate concerning patterns regarding how the automotive sector currently manages data privacy. Equipped with Internet connectivity, cameras and microphones, modern vehicles transform into sophisticated devices for massive amounts of data retention.
The car manufacturer did take the right steps by quickly fixing the web application security vulnerabilities and communicating with customers through a statement. And the business maintained that all customer data remained secure from unauthorized entry while emphasizing that their data gathering methods are essential for emergency services and retrieving stolen cars. The unclear details about how long data is kept and what types of data gets stored generates legitimate concerns, however.
This incident underscores the need for constant vigilance as cars and trucks evolve from simple transportation to complex data-processing machines. Who knows how many other car manufacturers still have undetected web app vulnerabilities – ticking time bombs waiting to be exploited? That’s why securing web applications isn’t just important – it’s critical to protecting drivers and their data.
Verimatrix XTD for Web Helps Fortify Major Web Portals
Verimatrix XTD for Web provides organizations with robust protection for the websites and web applications that employees in the automotive industry and beyond rely on daily. As recent incidents have shown, web app vulnerabilities aren’t just theoretical—they’re real threats that can put both drivers and data at risk, creating a highway to hack for cybercriminals.
XTD for Web works behind the scenes to continuously monitor websites and applications, uncovering blind spots to ensure ongoing code protection, compliance, and data integrity—all without sacrificing performance or user experience.
Third-party scripts often enhance website functionality, but they also introduce hidden risks. XTD for Web identifies these vulnerabilities by maintaining a detailed inventory of scripts and monitoring their activity, ensuring organizations stay ahead of potential threats before they become full-blown security crises.
XTD for Web uniquely allows organizations to:
To learn about XTD for Web, take a look at this page.
Protect your web apps
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Share this cybersecurity insight
Other cybersecurity insights
Cybersecurity Threat Roundup #22: Copybara, Crocodilus, Lucid, and more
SparkKitty: A Silent Threat in ‘Trusted’ Apps
WestJet Breach Shows Why Downtime Is a Business Killer
Darcula’s Digital Playbook: The Global Scam That’s Redefining Mobile Threats