A Critical Vulnerability in Subaru Starlink Could Allow Remote Vehicle Hijacking in North America Security experts recently discovered a critical vulnerability in Subaru's Starlink system that could have enabled hackers to remotely access and control vehicles across the U.S., Canada, and Japan using only a license plate number.

Discovery and Details

Renowned bug bounty hunter Sam Curry, with assistance from researcher Shubham Shah, uncovered this issue on November 20, 2024. The flaw allowed potential attackers to gain unauthorized access to every Subaru customer's account and vehicle in the impacted regions. Exploiting this vulnerability required the victim's last name and ZIP code, or alternative information such as their email address, phone number, or license plate.

Control Functions: Attackers could remotely start, stop, lock, and unlock vehicles.

Location Tracking: They could access both real-time and historical location data accurate to within five meters.

Data Access: Hackers could retrieve customers' personal information, including emergency contacts and billing details.

User Information: Additional data such as support call history and odometer readings could be accessed. Curry demonstrated the flaw's severity by showing how one could extract over a year's worth of a vehicle's location data in under ten seconds.

Technical Breakdown

The vulnerability stemmed from Starlink's admin portal, where a "resetPassword.json" endpoint allowed Subaru employees to reset accounts without a confirmation token by entering any valid employee email. Once an account was compromised, bypassing two-factor authentication was straightforward, involving merely removing a client-side overlay in the user interface. Curry explained, "One endpoint allowed vehicle searches using a customer's last name, zip code, phone number, or email, permitting control over their vehicle access."

Resolution and Implications

The researchers confirmed Subaru's admin dashboard's capability to access nearly every Subaru vehicle within the three affected countries. They validated this by using a friend's Subaru, demonstrating the potential actions via its license plate. Thankfully, Subaru addressed the vulnerability within 24 hours of being notified. No evidence indicates that any attacker exploited this flaw before it was patched. Parallel findings by the same research team uncovered a similar flaw in Kia's system, allowing attackers to locate and potentially steal Kia cars made since 2013 using a vehicle's license plate.

The link has been copied!