A glaring security vulnerability in Subaru’s STARLINK connected vehicle service was uncovered on November 20, 2024, by independent cybersecurity researchers Shubham Shah and another expert.
This vulnerability, now resolved, exposed Subaru customers across the United States, Canada, and Japan to potential targeted attacks, granting unrestricted access to vehicles and sensitive personal information.
Exploiting the Flaw
The severity of the vulnerability lay in its reach and ease of exploitation.
An attacker simply needed basic information such as the vehicle owner’s last name and ZIP code, email address, phone number, or license plate to achieve the following:
- Remote Vehicle Command: Start, stop, lock, and unlock any internet-connected vehicle remotely.
- Location Tracking: Access detailed location histories for up to a year, with GPS data accurate to within 5 meters, updated each time the engine started.
- Personal Data Theft: Retrieve comprehensive personal information including physical addresses, billing data, emergency contacts, and user PINs along with vehicle data like odometer readings and support history.
A proof-of-concept test demonstrated how quickly an attacker could exploit the connection to Subaru’s backend systems, bypassing safeguards in under 10 seconds using only a license plate number.
Subaru’s System Weaknesses
The vulnerability stemmed from flawed permission handling in Subaru’s STARLINK administrative portal.
The researchers initially tested the MySubaru App for potential weaknesses but found its customer-facing endpoints adequately secured.
By accessing JavaScript files embedded in the admin panel’s login page, the researchers discovered an unprotected endpoint (resetPassword.json) capable of resetting employee passwords without requiring a confirmation token.
After enumerating potential employee email addresses using another endpoint (getSecurityQuestion.json) and publicly available data, they confirmed account takeover was viable using a simple POST request.
2FA (two-factor authentication) meant to protect the admin portal could be bypassed by removing a client-side overlay, allowing the researchers to explore the full extent of the system’s backend functionality.
Access to the STARLINK admin portal granted the researchers alarming capabilities, including retrieving detailed one-year movement logs of any vehicle, querying customer details, and modifying user permissions.
The Subaru STARLINK admin panel.
In one instance, they tracked the vehicle of one researcher’s mother, mapping over 1,600 GPS coordinates tied to ignition or telematics commands.
To further test the exploit, a friend allowed them to access their Subaru’s system.
The researchers successfully added themselves as an authorized user, remotely unlocking the car without any notification to the owner. The friend later shared video confirmation of the command’s success.
Subaru’s security operations team responded promptly after the vulnerability was reported. Within hours, the affected systems were patched, rendering exploitation attempts ineffective.
Nonetheless, the incident highlights the systemic risks of modern connected car systems, where centralized portals grant extensive permissions spread across regions without granular access controls.
This exploit demonstrates the challenge automakers face in balancing connectivity and security.
As connected vehicle technologies continue to expand, researchers stress the importance of stringent access protocols, user notification mechanisms, and regular security audits to safeguard personal data and prevent misuse.
