Subaru recently patched a significant security flaw that allowed hackers to remotely unlock, start, and track millions of vehicles. The vulnerability was discovered by security researchers Sam Curry and Shubham Shah, who found that an employee web portal could be easily hacked. After gaining access to the portal, the researchers were able to control a test vehicle remotely and view a year’s worth of its location data.
They notified Subaru of the issue, and the company quickly fixed the exploit. The researchers believe that less-than-ethical hackers had not breached the system before it was patched. However, they noted that authorized Subaru employees could still access owners’ location history with just a single piece of information, such as the owner’s last name, zip code, email address, phone number, or license plate.
The hacked admin portal was part of Subaru’s Starlink suite of connectivity features. Curry and Shah accessed it by finding a Subaru Starlink employee’s email address on LinkedIn and resetting the worker’s password after bypassing two required security questions. They also bypassed two-factor authentication by removing the client-side overlay from the user interface.
Subaru fixes Starlink security loophole
The researchers confirmed that the Starlink admin dashboard had access to nearly any Subaru in the United States, Canada, and Japan. They demonstrated the hack on a friend’s vehicle after obtaining her permission.
In addition to tracking location, the admin portal allowed the researchers to start, stop, lock, and unlock any Starlink-connected Subaru vehicle. They reported that Curry’s mother received no notifications about the researchers adding themselves as authorized users or any alerts when unlocking her car. Subaru’s Communications Director, Dominick Infante, stated that the company patched the vulnerability the same day they were notified.
According to Infante, no Subaru vehicles or customer data was accessed without authorization. Subaru emphasized that its cars cannot be driven remotely, and the company does not sell location data. Only certain employees can access driver location data based on job relevance.
However, Curry and Shah pointed out that similar broad access is common across the auto industry, citing previous security flaws they found in vehicles from other manufacturers. They warn that the problem is not unique to Subaru and that improved security measures are needed across the industry to protect against evolving hacking methods.
