A recent discovery by security researchers Sam Curry and Shubham Shah has exposed a major security flaw in Subaru’s Starlink connected vehicle service. This vulnerability allowed hackers to access private accounts of Subaru customers in the US, Canada, and Japan, potentially putting millions of vehicles at risk. The flaw allowed unauthorized access to the admin panel, enabling the remote control of vehicles, access to sensitive customer data, and the tracking of vehicles’ locations.
What is Subaru Starlink?
Subaru Starlink is a connected vehicle service that provides a range of remote features, such as vehicle tracking, remote unlocking, and ignition control. These services are accessible through a web portal intended for Subaru employees and customers. However, the recently discovered vulnerability revealed that the admin portal, which should only be accessible to authorized employees, could be exploited by hackers to gain full control over the vehicles.
How Did the Researchers Discover the Vulnerability?
The researchers discovered that the Subaru admin panel was hosted on a subdomain of subarucs.com. By analyzing JavaScript files used by the subdomain, they found a critical flaw that allowed them to change the password of any employee’s account. This gave them unrestricted access to the backend of Subaru’s connected vehicle system.
Potential Consequences of the Vulnerability
The implications of this vulnerability are serious. With access to the admin panel, Curry and Shah could hijack various features of any Subaru vehicle. These include:
- Remotely unlocking the car.
- Starting the ignition.
- Tracking the vehicle’s precise location, including its history for up to a year.
The ability to track a vehicle’s movements is particularly alarming, as it could expose personal details about the vehicle owner’s routine, such as visits to doctors, homes, and workplaces.
The Privacy Issue: Location Data Access
In addition to controlling car features, the researchers were able to access a year’s worth of precise location data for Curry’s mother’s Subaru. This data was stored in Subaru’s system and could be accessed by any employee with the appropriate permissions. This situation raised significant privacy concerns, as this level of data access could be misused for malicious purposes.
Subaru’s Response and Fixes
Upon discovering the vulnerabilities, Curry and Shah promptly reported them to Subaru. Within 24 hours, Subaru had patched the issue. The company stated that no customer data was accessed without authorization and that security measures were immediately put in place to prevent future breaches. Subaru also confirmed that employees who access sensitive data are trained and bound by confidentiality agreements.
Broader Implications for the Automotive Industry
While Subaru has addressed this specific vulnerability, the researchers believe this issue could affect many other automakers as well. They pointed out that similar vulnerabilities have been discovered in the connected vehicle systems of multiple car brands, including Toyota, Honda, Hyundai, and BMW. The growing reliance on connected technologies in vehicles underscores the need for enhanced cybersecurity measures to protect both car owners and their data.
What Can Vehicle Owners Do?
While Subaru has taken action to fix this vulnerability, vehicle owners should remain vigilant about the security of their connected systems. It is advisable for Subaru owners to:
- Regularly update their Starlink accounts and passwords.
- Monitor any suspicious activity related to their vehicle.
- Use two-factor authentication (2FA) where possible to add an extra layer of security.
Conclusion
The Subaru Starlink vulnerability serves as a stark reminder of the importance of cybersecurity in the modern automotive industry. As vehicles become increasingly connected, the potential risks associated with data breaches and remote hacking are growing. It is essential that automakers prioritize the security of their connected systems to protect customers from potential threats.