A recent discovery by security researcher Sam Curry has unveiled a vulnerability in Subaru’s Starlink connected vehicle service that provided unrestricted access to customer accounts in the US, Canada, and Japan. The Starlink system, which is the in-vehicle infotainment system for Subaru vehicles, had a remote functionality accessed through an admin portal that only employees should have been able to access. Working alongside security researcher Shubham Shah, Curry found that the admin panel was hosted on a subdomain of subarucs.com and identified JavaScript files that allowed them to change an employee’s account password without a confirmation token. This loophole meant that an attacker could potentially take over any valid employee email account.
Following their discovery, the researchers were able to reset passwords, bypass two-factor authentication, and gain access to the admin panel’s functionalities. Within the admin panel, they found a wealth of sensitive information, including vehicle data such as historical locations, VIN numbers, and customer details like names, ZIP codes, phone numbers, email addresses, and billing information. Curry confirmed that the Starlink admin dashboard had access to virtually any Subaru vehicle in the United States, Canada, and Japan.
Moreover, the vulnerability also allowed the researchers to grant or modify access to vehicles, essentially enabling the takeover of a car without the owner being alerted. By simply adding themselves as authorized users to a vehicle through the admin portal, an attacker could assume control without the owner’s knowledge. In addition to accessing vehicle and customer data, Curry noted that the researchers could remotely start, stop, lock, and unlock target vehicles.
Once the vulnerability was identified, Curry promptly reported it to Subaru on November 20, 2024. The car manufacturer swiftly responded and addressed the security flaw within 24 hours of receiving the report. This proactive response highlights the importance of prompt action in addressing potential cybersecurity threats in connected vehicles.
This incident follows Curry’s prior warnings about vulnerabilities in automotive systems, such as a bug in a Kia car owners’ website that exposed millions of cars to remote hacking. In collaboration with other researchers, Curry also revealed flaws in telematic systems, automotive APIs, and infrastructure that exposed cars from 16 different manufacturers to data leaks and remote control. Additionally, an issue in a Sirius XM connected vehicle service posed a risk of hacking to multiple car brands.
In a landscape where vehicles are becoming increasingly connected and reliant on digital systems, the importance of robust cybersecurity measures cannot be overstated. As demonstrated by the swift response from Subaru in addressing the Starlink vulnerability, proactive measures and continuous monitoring are essential to safeguarding against potential cyber threats in the automotive industry. The collaboration between researchers, industry stakeholders, and cybersecurity experts is crucial in identifying and mitigating vulnerabilities to ensure the safety and security of connected vehicles and their users.
Moving forward, ongoing efforts to enhance cybersecurity protocols and address vulnerabilities in connected vehicles are imperative to prevent unauthorized access, data breaches, and potential threats to vehicle safety and privacy. By staying vigilant and proactive in addressing cybersecurity risks, stakeholders in the automotive industry can help build a more secure and resilient ecosystem for connected vehicles and IoT technologies.