Critical Subaru Flaw Exposed: Hackers Could Track and Control Cars Using Just License Plates

Critical Subaru Flaw Exposed: Hackers Could Track and Control Cars Using Just License Plates

Critical Security Flaw Discovered in Subaru’s Starlink System

A significant security vulnerability in Subaru’s Starlink service was uncovered by security researchers Sam Curry and Shubham Shah on November 20, 2024. The flaw potentially exposed vehicles across the United States, Canada, and Japan to unauthorized access through simple identification details.

The Vulnerability:
– Allowed complete account takeover using basic customer information
– Required only a license plate, last name and ZIP code, email, or phone number
– Affected all Subaru vehicles with Starlink connectivity in three countries

Potential Security Risks:
1. Vehicle Control:
– Remote starting/stopping
– Lock/unlock capabilities
– Real-time location tracking
– Access to one-year location history (5-meter accuracy)

2. Data Access:
– Personal customer information
– Emergency contacts
– Payment details
– Vehicle PINs
– Service history
– Ownership records

Technical Details:
The vulnerability stemmed from a flawed “resetPassword.json” API endpoint in Starlink’s admin portal, which permitted password resets without proper verification. The researchers demonstrated how the exploit could retrieve extensive vehicle data within seconds.

Resolution:
Subaru addressed the security breach within 24 hours of notification, and no malicious exploitation was reported. This incident follows similar vulnerabilities discovered in other automotive manufacturers’ systems, highlighting the growing importance of cybersecurity in connected vehicles.

Share This Article