A vulnerability in Subaru’s Starlink connected vehicle service provided unrestricted access to the accounts of customers in the US, Canada, and Japan, security researcher Sam Curry says.
Starlink, the in-vehicle infotainment system for Subaru vehicles, provided remote functionality that could be accessed from an administrator portal that only employees should have access to.
Together with security researcher Shubham Shah, Curry discovered that the admin panel was hosted on a subdomain of subarucs.com and, after finding JavaScript files the subdomain was using, discovered that the password for any employee’s account could be changed without a confirmation token.
“If this worked how it was written in the JavaScript, then an attacker could simply enter any valid employee email and take over their account,” Curry explains.
After identifying a valid employee email, the researchers reset the password and then removed the client-side overlay from the UI to bypass two-factor authentication, which provided them with access to the panel’s functionality.
Access to the admin panel, Curry says, allowed them to view vehicle information, including historical location data, VIN number, and other data, as well as customer information, such as last name, ZIP code, phone number, email address, and billing information.
“After searching and finding my own vehicle in the dashboard, I confirmed that the Starlink admin dashboard should have access to pretty much any Subaru in the United States, Canada, and Japan,” Curry says.
What’s more, the researchers discovered that the admin panel allowed them to grant/modify access to cars, essentially enabling vehicle takeover without any pre-requisite, and without the car owner being alerted.
An attacker with access to the admin panel could take over a car by simply adding themselves as an authorized user to that vehicle, and the owner would receive no notification of this action.
In addition to enabling them to query any vehicle and customer information, this level of access to the admin panel also allowed the researchers to remotely start, stop, lock, and unlock a target vehicle, Curry says.
Curry reported the vulnerability to Subaru on November 20, 2024, and the car maker addressed the security defect within 24 hours after receiving the report.
Last year, Curry warned of a bug in a Kia car owners’ website exposing millions of cars to remote hacking. Together with six other researchers, in 2023 he revealed that flaws in telematic systems, automotive APIs, and infrastructure exposed cars from 16 makers to data leaks and remote control, and that an issue in a Sirius XM connected vehicle service put several car vehicle brands at risk of hacking.
Related: Hackers Earn $886,000 at Pwn2Own Automotive 2025 for Charger, OS, Infotainment Exploits
Related: NMFTA Appoints Cybersecurity Director to Help Protect Trucking Industry
Related: US, EU to Ramp Up Chip Making and Raise Pressure on Russia
Related: The Rise of Industrial IoT and How to Mitigate Risk
