Subaru Starlink Flaw Allowed Hackers to Hijack Cars

A critical security vulnerability was discovered in Subaru's Starlink connected car service, exposing millions of vehicles in the United States, Canada, and Japan to potential cyberattacks. Security researchers Sam Curry and Shubham Shah identified the flaw on November 20, 2024, which allowed attackers to remotely control and track vehicles using only a license plate.

This arbitrary account takeover vulnerability could have enabled hackers to access customer accounts and vehicles, revealing a broad spectrum of sensitive information and granting unprecedented control over Subaru cars.

Details of the Vulnerability

The vulnerability stemmed from an insecure endpoint within Subaru's Starlink admin portal, known as “resetPassword.json.” This endpoint permitted Subaru employees to reset their accounts without requiring a confirmation token, bypassing critical authentication checks.

Once the researchers gained access to an employee account, they encountered a two-factor authentication (2FA) prompt. However, this security layer was easily bypassed by disabling the client-side overlay in the portal's user interface.

After breaching the portal, the researchers gained extensive access to customer and vehicle information. One of the key endpoints, a vehicle search tool, allowed them to query a vehicle using minimal details such as the victim's last name, ZIP code, phone number, email address, or license plate number.

The researchers confirmed that they could:

Remotely control vehicle functions: Start or stop the engine, lock or unlock doors, and track the vehicle’s current location.

Access location history: Retrieve up to one year of location data, accurate to within five meters, updated every time the vehicle’s engine started.

Steal sensitive personal information: Obtain customer data such as physical addresses, billing details (partial credit card numbers), emergency contact information, vehicle PINs, and more.

View miscellaneous data: Access records like odometer readings, sales history, support call logs, and previous ownership details.

Curry demonstrated how the flaw could be exploited, retrieving over a year’s worth of location data for a Subaru car in under 10 seconds.

Impact of the Exploit

The vulnerability exposed millions of Subaru vehicles to potential cyberattacks, putting customers at risk of having their personal and financial information stolen, their vehicles tracked, or even remotely hijacked.

If left unpatched, malicious actors could have exploited the flaw to:

Compromise the physical security of vehicles by unlocking doors or disabling engines remotely.

Use detailed location histories for stalking or surveillance purposes.

Sell stolen personal information on dark web forums, leading to identity theft or other cybercrimes.

Quick and Effective Mitigation

Once Subaru was informed of the vulnerability, the company acted swiftly. Within 24 hours of the researchers' report, Subaru patched the security flaw, ensuring that attackers could no longer exploit it.

Curry confirmed that the vulnerability was never exploited in real-world attacks before being patched, thanks to the quick action taken by Subaru.

Similar Past Vulnerabilities

This incident highlights growing concerns about the security of connected car systems. In a similar case, Curry and other researchers uncovered a security flaw in Kia’s dealer portal. This vulnerability allowed hackers to locate and steal millions of Kia vehicles manufactured since 2013, using only the targeted vehicle’s license plate.

As automakers increasingly integrate connected services into their vehicles, the risk of cyberattacks targeting these platforms rises significantly. Weak security measures can lead to vulnerabilities that put customers and their vehicles at risk.

Lessons for the Automotive Industry

The Subaru Starlink vulnerability underscores the importance of robust cybersecurity practices in the automotive sector. Automakers must prioritize:

Secure Development Practices Developers should adopt security-by-design principles to ensure that critical systems are designed with security in mind from the outset. Regular code reviews and security audits can help identify and address vulnerabilities early in the development process.

Comprehensive Authentication Protocols Sensitive portals, such as those used for admin or dealer access, should implement strong authentication mechanisms, including multi-factor authentication (MFA) and token-based verification.

Penetration Testing and Bug Bounty Programs Automakers should encourage independent security researchers to test their systems by offering bug bounty programs. This proactive approach can help uncover vulnerabilities before they are exploited by malicious actors.

Regular Patching and Updates Connected car systems must be updated frequently to patch vulnerabilities and address emerging threats. Automakers should implement secure over-the-air (OTA) update mechanisms to quickly deploy fixes.

Customer Awareness Educating customers about potential risks associated with connected systems and how to mitigate them is critical. For example, customers should use strong passwords, monitor their accounts for unusual activity, and report suspicious behavior promptly.

Conclusion

The Subaru Starlink vulnerability serves as a wake-up call for the automotive industry to take cybersecurity seriously. As vehicles become more connected, the attack surface expands, creating new opportunities for cybercriminals.

While Subaru’s swift response to this incident minimized its impact, the automotive industry must recognize that vulnerabilities in connected systems can have severe consequences. By prioritizing security in their development and maintenance processes, automakers can protect their customers and vehicles from emerging cyber threats.