A critical Subaru vulnerability, specifically a flaw in the Subaru Starlink in-vehicle service, has been discovered, allowing attackers to remotely track, unlock, and even start affected vehicles.
Ethical hacker Sam Curry uncovered an arbitrary account takeover vulnerability in the Starlink admin portal. This Subaru bug allowed him to compromise a Subaru employee account.
Curry bypassed multi-factor authentication (MFA) by removing the client-side overlay from the user interface. He then exploited a vehicle search function, which, using minimal information like a customer’s last name, zip code, phone number, email address, or VIN (obtainable via license plate), granted access to vehicle data. This Subaru Starlink vulnerability gave him control over numerous aspects of Subaru vehicles.
“There were a ton of other endpoints,”
Curry stated in his blog post.
“One of them was a vehicle search which let you query a customer’s last name and zip code, phone number, email address, or VIN number (retrievable via license plate) and grant/modify access to their vehicle.”
The Subaru security flaw granted Curry extensive access. He could:
- Remotely start, stop, lock, unlock, and retrieve the current location of any vehicle.
- Access a vehicle’s complete location history for the past year, accurate to within five meters.
- Retrieve personally identifiable information (PII) of any customer, including emergency contacts, addresses, and billing information.
- Access miscellaneous user data, including support call history, previous owners, odometer readings, and sales history.
Effectively, this Subaru bug gave Curry the ability to remotely control “pretty much any Subaru in the US, Canada, and Japan.”
Fortunately, Subaru reacted swiftly. Upon being contacted, they patched the vulnerability within 24 hours. However, Curry raised broader concerns about the auto industry’s security practices.
“The auto industry is unique in that an 18-year-old employee from Texas can query the billing information of a vehicle in California, and it won’t really set off any alarm bells,” he observed.
“It’s part of their normal day-to-day job. The employees all have access to a ton of personal information, and the whole thing relies on trust.””It seems really hard to secure these systems when such broad access is built into the system by default.” He concluded.
This highlights the need for enhanced security measures within the automotive sector to prevent future Subaru security flaws and similar vulnerabilities in other brands.
