Security researchers uncovered a critical vulnerability in Subaru’s Starlink service that could have allowed attackers to hijack and control vehicles in the U.S., Canada, and Japan using only a license plate number.
The flaw, discovered on November 20, 2024, by bug bounty hunter Sam Curry and researcher Shubham Shah, exposed millions of Subaru customers to potential security and privacy risks.
The vulnerability provided attackers unrestricted access to user accounts and vehicles by exploiting an arbitrary account takeover flaw in Starlink’s admin portal. Attackers only needed basic information, such as the victim’s last name, ZIP code, email address, phone number, or license plate, to exploit the flaw.
Successful exploitation could have enabled hackers to remotely control vehicle functions, such as starting, stopping, locking, or unlocking the car. They could also retrieve a vehicle’s real-time location, its location history for up to a year, and access sensitive customer data, including personally identifiable information (PII), billing details, and vehicle PINs. Curry demonstrated the flaw in action, revealing that location data for any Subaru car could be accessed within just 10 seconds.
According to Curry, the vulnerability stemmed from a “resetPassword.json” API endpoint in the Starlink admin portal, which allowed employee account resets without confirmation tokens. Even two-factor authentication (2FA) could be bypassed by altering the client-side portal interface. Subaru patched the vulnerability within 24 hours of being notified, and no evidence of exploitation by attackers was found.
A similar flaw was previously discovered in Kia’s dealer portal, where attackers could locate and steal vehicles using license plate information. These incidents underscore the urgent need for automakers to enhance cybersecurity measures to protect customer data and vehicle systems. (Source: BleepingComputer)
