A significant security vulnerability in Subaru Starlink connected vehicle service has been uncovered. This flaw potentially exposes customers in the US, Canada, and Japan to remote hacking threats. Security researcher Sam Curry, along with fellow researcher Shubham Shah, revealed that the infotainment system’s admin portal was accessible without proper restrictions. Consequently, this allowed unauthorized access to sensitive customer and vehicle data.
Admin Portal Flaw Discovered
The Starlink system, designed to enhance the driving experience with remote functionalities, had an admin panel hosted on a subdomain of subarucs.com. By analyzing JavaScript files associated with this subdomain, the researchers discovered a critical flaw. Specifically, they found that anyone could change employee account passwords without requiring a confirmation token. As a result, an attacker could easily take control of an employee’s account by simply entering a valid email address.
Bypassing Security Measures
Curry explained, “If this vulnerability functioned as indicated in the JavaScript, an attacker could gain access to any employee account with minimal effort.” After identifying a valid employee email, the researchers reset the password. Furthermore, they bypassed two-factor authentication by removing a client-side overlay from the user interface. This action ultimately granted them full access to the admin panel’s features.
Access to Sensitive Information
With access to the admin panel, the researchers could view sensitive vehicle information. This included historical location data, VIN numbers, and customer details such as last names, ZIP codes, phone numbers, email addresses, and billing information. Notably, Curry confirmed that the Starlink admin dashboard could access virtually any Subaru vehicle in the United States, Canada, and Japan.
Vehicle Control Risks
Alarmingly, the admin panel also allowed the researchers to modify access permissions for vehicles. This capability enabled them to take control of a car without any prior authorization or notification to the owner. Thus, an attacker with access to this panel could easily add themselves as an authorized user, leaving the vehicle owner unaware of the breach.
Remote Functionality Exploited
In addition to querying vehicle and customer information, the researchers could remotely start, stop, lock, and unlock targeted vehicles. This raised serious concerns about the security of connected cars.
Swift Response from Subaru
Curry reported the vulnerability to Subaru on November 20, 2024. Fortunately, the automaker responded swiftly, addressing the security flaw within 24 hours of the report.
A Growing Concern in Automotive Security
This incident follows Curry’s previous warnings about vulnerabilities in automotive systems. For instance, last year, he highlighted a bug in a Kia car owners’ website that exposed millions of vehicles to hacking risks. Additionally, in 2023, he and a team of researchers revealed that flaws in telematics systems and automotive APIs had put cars from 16 manufacturers at risk of data leaks and remote control, including issues related to a Sirius XM connected vehicle service.
