Cybersecurity researchers Shubham Shah and a colleague made an astonishing discovery on November 20, 2024, uncovering a significant security vulnerability within Subaru’s STARLINK connected vehicle service. This flaw enabled unauthorized and unrestricted access to vehicles and customer accounts in the United States, Canada, and Japan.
By exploiting this vulnerability, malicious actors could manipulate vehicle functions remotely and gain access to sensitive customer data. This unauthorized access allowed them to perform actions such as unlocking vehicles, tracking location history, and retrieving personally identifiable information (PII). The potential for exploitation was vast and alarming.
Upon receiving the researchers’ report, Subaru acted swiftly and efficiently, patching the vulnerability within 24 hours. This swift response helped prevent large-scale exploitation and protected customers from potential harm.
The researchers detailed how even minimal user information, such as a victim’s last name, ZIP code, email address, phone number, or license plate, was enough to exploit the STARLINK system. This flaw in the system allowed them to access and control vehicles with ease, posing a significant threat to customer safety and privacy.
The researchers discovered systemic flaws in access controls while investigating Subaru’s back-end systems. They found an employee-facing STARLINK admin panel that provided broad access to vehicles and customer records. By exploiting a flaw in the “resetPassword.json” endpoint, they were able to reset employee passwords without verification or a token, gaining unauthorized access to the system.
Further investigation revealed weak implementation of two-factor authentication (2FA) in the admin panel, which the researchers bypassed with simple client-side modifications. This security loophole allowed them unfettered access to vehicle control features and sensitive customer data for STARLINK-enabled vehicles.
To validate the severity of the vulnerability, the researchers conducted controlled experiments on their own and consenting individuals’ vehicles. They successfully added themselves as authorized users to a friend’s Subaru through the admin panel and executed remote commands without the owner’s knowledge or notification.
The researchers also demonstrated the ability to retrieve extensive customer information from the STARLINK admin dashboard, including physical addresses, emergency contacts, and billing data. This breach highlighted the critical need for robust access controls, multi-layered authentication mechanisms, and rigorous security testing in connected vehicle systems.
While Subaru’s prompt response mitigated potential harm, the incident exposed systemic challenges in securing connected vehicle systems. The auto industry’s reliance on trust and extensive default data access to employees poses a significant security risk, as demonstrated by this vulnerability.
In light of this discovery, the researchers emphasized the importance of implementing stringent security measures in connected vehicle systems to safeguard user safety and privacy. As vehicle automation and connectivity become more prevalent, vulnerabilities like these could have far-reaching consequences if not addressed promptly and effectively.