Subaru Starlink Vulnerability Exposed Cars to Remote Hacking

A major vulnerability in Subaru’s Starlink connected vehicle service exposed vehicles and customer accounts in the US, Canada, and Japan to potential cyberattacks. Security researcher Sam Curry, along with fellow researcher Shubham Shah, uncovered critical flaws that could have allowed attackers to gain administrative access to Subaru’s connected vehicle system, enabling remote control of vehicles and access to sensitive customer data.

Starlink, the in-vehicle infotainment and connected services system for Subaru cars, is designed to provide features like remote vehicle control, navigation, and emergency services. However, the researchers discovered that the system’s admin panel, meant exclusively for employees, was inadequately secured. Hosted on a subdomain of subarucs.com, the admin portal could be exploited due to weak authentication protocols in the JavaScript code. Specifically, it allowed attackers to reset passwords for valid employee accounts without requiring a confirmation token, effectively bypassing security safeguards.

By identifying a legitimate employee email, Curry and Shah were able to reset the password for the account and bypass two-factor authentication by disabling the client-side overlay. This granted them full access to the admin dashboard, revealing a trove of sensitive data. They could view customer information, including names, ZIP codes, phone numbers, email addresses, and billing details, as well as vehicle-specific data such as VIN numbers and historical location information.

The vulnerabilities didn’t stop at data exposure. According to Curry, the admin panel also enabled the researchers to modify or grant access to vehicles. This included remotely starting, stopping, locking, or unlocking a car without the owner’s knowledge. In an alarming finding, they demonstrated that attackers could add themselves as authorized users for a vehicle without alerting the legitimate owner, effectively taking over control of the car.

Curry reported the flaw to Subaru on November 20, 2024. To Subaru’s credit, the company acted swiftly and resolved the issue within 24 hours of receiving the report. While this rapid response mitigated the immediate risk, the discovery highlights persistent weaknesses in automotive cybersecurity.

This isn’t the first time Curry has exposed vulnerabilities in connected vehicle systems. In 2023, he and a team of researchers revealed security flaws affecting telematics systems, automotive APIs, and the connected vehicle infrastructure of 16 car manufacturers. This included a high-profile issue in the Sirius XM telematics system, which left multiple brands susceptible to remote hacking. Additionally, Curry previously uncovered a bug in Kia’s car owner platform that put millions of vehicles at risk.

The Subaru Starlink case underscores the importance of rigorous security testing in connected car ecosystems. With the growing integration of IoT systems in vehicles, manufacturers must prioritize robust cybersecurity measures to protect against data breaches and remote vehicle takeovers. Failure to do so could leave drivers vulnerable to increasingly sophisticated cyberattacks.