A major security vulnerability in Subaru's Starlink connected vehicle service left cars and customer accounts exposed to potential remote attacks across the United States, Canada, and Japan, according to security researchers Sam Curry and Shubham Shah.
The researchers discovered they could gain unauthorized access to vehicles and customer accounts by exploiting a weakness in Subaru's administrative system. The flaw could be triggered using basic customer information like a last name and ZIP code, email address, phone number, or license plate number.
Once exploited, the vulnerability gave access to sensitive data including:
- Vehicle location history
- Personal identification information
- Billing details
- Vehicle PINs
- User records
- Direct vehicle control capabilities
The researchers demonstrated the security gap by successfully accessing and unlocking a volunteer's vehicle remotely, without triggering any notification systems.
The technical exploit involved accessing Subaru's STARLINK admin portal through subdomain scanning. The researchers found they could reset employee account passwords without proper verification, effectively bypassing security measures including two-factor authentication.
After discovering the vulnerability, the research team promptly reported it to Subaru on November 20, 2024. The automaker responded swiftly, implementing a fix within 24 hours of notification.
This incident highlights ongoing cybersecurity challenges in connected vehicle systems and the importance of robust security measures to protect consumer privacy and vehicle safety.