Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Subaru Starlink Vulnerability Exposed Cars to Remote Hacking

A vulnerability in Subaru’s Starlink connected vehicle service exposed US, Canada, and Japan vehicle and customer accounts.

Subaru hacking

A vulnerability in Subaru’s Starlink connected vehicle service provided unrestricted access to the accounts of customers in the US, Canada, and Japan, security researcher Sam Curry says.

Starlink, the in-vehicle infotainment system for Subaru vehicles, provided remote functionality that could be accessed from an administrator portal that only employees should have access to.

Together with security researcher Shubham Shah, Curry discovered that the admin panel was hosted on a subdomain of subarucs.com and, after finding JavaScript files the subdomain was using, discovered that the password for any employee’s account could be changed without a confirmation token.

“If this worked how it was written in the JavaScript, then an attacker could simply enter any valid employee email and take over their account,” Curry explains.

After identifying a valid employee email, the researchers reset the password and then removed the client-side overlay from the UI to bypass two-factor authentication, which provided them with access to the panel’s functionality.

Access to the admin panel, Curry says, allowed them to view vehicle information, including historical location data, VIN number, and other data, as well as customer information, such as last name, ZIP code, phone number, email address, and billing information.

“After searching and finding my own vehicle in the dashboard, I confirmed that the Starlink admin dashboard should have access to pretty much any Subaru in the United States, Canada, and Japan,” Curry says.

What’s more, the researchers discovered that the admin panel allowed them to grant/modify access to cars, essentially enabling vehicle takeover without any pre-requisite, and without the car owner being alerted.

Advertisement. Scroll to continue reading.

An attacker with access to the admin panel could take over a car by simply adding themselves as an authorized user to that vehicle, and the owner would receive no notification of this action.

In addition to enabling them to query any vehicle and customer information, this level of access to the admin panel also allowed the researchers to remotely start, stop, lock, and unlock a target vehicle, Curry says.

Curry reported the vulnerability to Subaru on November 20, 2024, and the car maker addressed the security defect within 24 hours after receiving the report.

Last year, Curry warned of a bug in a Kia car owners’ website exposing millions of cars to remote hacking. Together with six other researchers, in 2023 he revealed that flaws in telematic systems, automotive APIs, and infrastructure exposed cars from 16 makers to data leaks and remote control, and that an issue in a Sirius XM connected vehicle service put several car vehicle brands at risk of hacking. 

Related: Hackers Earn $886,000 at Pwn2Own Automotive 2025 for Charger, OS, Infotainment Exploits

Related: NMFTA Appoints Cybersecurity Director to Help Protect Trucking Industry

Related: US, EU to Ramp Up Chip Making and Raise Pressure on Russia

Related: The Rise of Industrial IoT and How to Mitigate Risk

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.