Sunday, February 9, 2025
Homecyber securitySubaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

Published on

SIEM as a Service

Follow Us on Google News

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a colleague unearthed a major security vulnerability in Subaru’s STARLINK connected vehicle service.

The flaw allowed unauthorized, unrestricted access to vehicles and customer accounts across the United States, Canada, and Japan.

By exploiting this vulnerability, malicious actors could remotely control vehicle functions and access sensitive customer data actions that included unlocking vehicles, tracking location history, and retrieving personally identifiable information (PII).

Subaru quickly patched the vulnerability within 24 hours after receiving the researchers’ report, averting potential large-scale exploitation.

The researchers detailed how minimal user information, such as a victim’s last name, ZIP code, email address, phone number, or license plate, was sufficient to exploit the STARLINK system.

This access allowed them to perform actions such as remotely starting, stopping, locking, and unlocking vehicles.

They also managed to retrieve a vehicle’s one-year location history, accurate to within five meters, and access customers’ sensitive data, including emergency contacts, billing information, and even vehicle PINs.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Systemic Flaws in Access Controls

The researchers initially examined Subaru’s MySubaru mobile app but found its security robust.

Shifting focus, they investigated Subaru’s back-end systems and stumbled upon an employee-facing STARLINK admin panel, which provided broad access to vehicles and customer records.

By exploiting a flaw in the “resetPassword.json” endpoint, they reset employee passwords without requiring verification or a token.

Using publicly available information, such as employee email addresses from LinkedIn, they successfully gained unauthorized access to the system.

Further investigation revealed the admin panel’s weak two-factor authentication (2FA) implementation, which the researchers bypassed with simple client-side modifications.

Subaru’s STARLINK Connected Car’s

2FA bypassed.

Once inside, the admin dashboard provided unfettered access to vehicle control features and customer data for STARLINK-enabled vehicles.

Real-World Scenarios and Vehicle Access

To validate the severity of the vulnerability, the researchers conducted controlled experiments on their own vehicles and those of consenting individuals.

For example, they added themselves as authorized users to a friend’s Subaru by using the admin panel and then successfully executed remote commands, including unlocking the vehicle, all without the owner receiving any notification.

Subaru’s STARLINK Connected Car’s

The Subaru STARLINK admin panel.

The researchers also demonstrated the ability to retrieve extensive customer information, such as physical addresses, emergency contacts, and billing data, all from the STARLINK admin dashboard.

The researchers reported the vulnerability to Subaru’s security team late on November 20, 2024.

Subaru acknowledged the flaw the next morning and deployed a fix by the afternoon, preventing further exploitation.

While the company’s swift action mitigated potential harm, the incident highlighted systemic challenges in securing connected vehicle systems.

The auto industry, as the researchers pointed out, often grants extensive access to sensitive data by default to employees, relying heavily on trust.

This discovery underscores the critical need for robust access controls, multi-layered authentication mechanisms, and rigorous security testing in connected vehicle systems.

As automation and connectivity continue to define modern vehicles, vulnerabilities like this could have far-reaching consequences for user safety and privacy.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...