https://samcurry.net/hacking-subaru
A critical security vulnerability in Subaru’s Starlink service could have allowed attackers to remotely control and track vehicles in the United States, Canada, and Japan.
The flaw, discovered by security researchers Sam Curry and Shubham Shah, enabled attackers to gain unrestricted access to customer accounts using limited information such as the victim’s last name, ZIP code, email address, phone number, or license plate.
This access would have allowed attackers to:
- Remotely start, stop, lock, and unlock vehicles.
- Track vehicle locations in real-time and access historical location data.
- Access sensitive customer information, including personal details, billing information, and emergency contacts.
The researchers exploited a vulnerability in the Starlink admin portal, allowing them to bypass authentication measures and gain unauthorized access to customer accounts. The portal has two-factor authentication (2FA) which was also easily bypassed by removing the client-side overlay from the portal’s user interface.
Subaru addressed the issue within 24 hours of being notified. While this specific flaw was not exploited, it highlights the critical importance of robust security measures for connected vehicles.
This incident follows a similar vulnerability discovered in Kia’s dealer portal, emphasizing the need for automakers to prioritize vehicle security and protect customer data.