Introduction
Security researchers Sam Curry and Shubham Shah have uncovered critical vulnerabilities in Subaru’s STARLINK-connected infotainment systems [9], affecting the 2023 Subaru Impreza and all Subaru vehicles in the US, Canada [1] [3] [4] [5] [10], and Japan [1] [3] [4] [5] [10]. These vulnerabilities pose significant risks [5], allowing unauthorized access to vehicles and sensitive personal information [1] [2].
Description
Security researchers Sam Curry and Shubham Shah have identified significant vulnerabilities in Subaru’s STARLINK-connected infotainment systems, particularly affecting the 2023 Subaru Impreza and all Subaru vehicles in the US, Canada [1] [3] [4] [5] [10], and Japan [1] [3] [4] [5] [10]. Discovered on November 20, 2024 [1] [3], these flaws exposed Subaru customers to potential targeted attacks, allowing unauthorized access to millions of vehicles and sensitive personal information [1] [2]. The vulnerabilities were severe due to their wide reach and ease of exploitation [1], enabling attackers to remotely unlock [4], start [2] [4] [5] [6] [7] [8] [9] [10], stop [5] [6], and track connected cars using minimal personal information such as the vehicle owner’s last name, ZIP code [1] [3] [6] [9], email address [1] [3] [4] [6] [9], phone number [1] [3] [4] [6] [9], or license plate number [1] [3] [5] [6] [9].
The researchers uncovered the vulnerabilities while auditing the MySubaru mobile app [5], initially finding its customer-facing endpoints secure. However, through subdomain analysis linked to employee functionality [3], they discovered an unprotected endpoint in the STARLINK Admin Panel that allowed password resets without email verification. This flaw effectively bypassed two-factor authentication (2FA), as the researchers found a “resetPassword.json” endpoint that enabled password resets without a confirmation token [3]. By exploiting this vulnerability [1], they were able to reset any employee’s password using a valid employee email obtained through open-source intelligence (OSINT) research, gaining access to the admin portal.
Once inside the admin portal, they accessed various endpoints [4], including a vehicle search function capable of querying sensitive customer information such as last names [4], registration numbers [8], ZIP codes [1] [3] [6] [9], phone numbers [1] [3] [4] [6] [9], email addresses [1] [3] [4] [6] [9], and VIN numbers [4]. This access enabled the researchers to track and control nearly any Subaru vehicle in real-time, with capabilities that included remotely starting, stopping [4], locking [1] [2] [4] [5] [10], unlocking [1] [2] [4] [5] [6] [7] [8] [9] [10], and retrieving the current location of any vehicle [4]. They confirmed the exploit’s severity by remotely unlocking a friend’s vehicle using only the license plate number [5], with no alerts sent to the owner [5]. Additionally, they accessed a vehicle’s complete location history from the past year [4], detailing precise parking locations and sensitive data, including information related to doctor visits. They could also retrieve personally identifiable information (PII) of any customer [4], including emergency contacts [4] [5], home addresses [1] [5], billing information [3] [4], and vehicle PINs [4]. Miscellaneous user data [4], such as support call history [4], previous owners [4], and odometer readings [4], was also accessible. The researchers highlighted serious risks associated with these vulnerabilities [10], such as potential stalking or theft [10], as a hacker could remotely unlock a vehicle and track its location [10].
Subaru’s security operations team responded swiftly [1], patching the flaw within 24 hours of notification after being informed of the issues in late November. The company stated that collecting location data is essential for assisting with emergencies and tracking stolen vehicles [8], although concerns have been raised regarding the justification for retaining extensive customer location data. While Subaru claims not to sell user data [6], it can still use it for targeted advertising [6], raising privacy concerns about the extent of personal information available to employees based on job relevance. The company acknowledged that certain employees can access location data for customer service purposes [9], provided they have the necessary training and sign privacy agreements [9]. This incident underscores the systemic risks associated with modern connected car systems [1], where centralized portals can grant extensive permissions without adequate access controls [1]. It raises broader concerns regarding privacy and data security within the automotive industry [2], suggesting that similar vulnerabilities may exist in the web tools of other manufacturers, including Acura [4] [8], Genesis [8], Honda [8], Hyundai [8], Infiniti [8], Kia [8], and Toyota [8]. Users can take steps to limit data collection [6], such as canceling their STARLINK subscription or adjusting marketing preferences [6], but these actions may restrict access to certain features [6].
Conclusion
The discovery of these vulnerabilities in Subaru’s STARLINK system highlights the critical need for robust cybersecurity measures in connected car technologies. Subaru’s prompt response in patching the flaw mitigated immediate risks, but the incident raises broader concerns about data privacy and security in the automotive industry. Manufacturers must prioritize securing their systems to prevent unauthorized access and protect customer data. Additionally, consumers should be aware of the data collected by their vehicles and take steps to manage their privacy settings. This case serves as a reminder of the potential risks associated with modern connected car systems and the importance of ongoing vigilance and improvement in cybersecurity practices.
References
[1] https://cyberpress.org/subaru-starlink-connected-car-vulnerability/
[2] https://www.techspot.com/news/106499-subaru-starlink-vulnerability-exposed-millions-vehicles-unauthorized-access.html
[3] https://securityaffairs.com/173434/security/subaru-starlink-vulnerability-remote-attacks.html
[4] https://www.infosecurity-magazine.com/news/subaru-bug-remote-vehicle-tracking/
[5] https://cyberinsider.com/subaru-flaw-allowed-remote-control-of-millions-of-cars-in-the-us/
[6] https://lifehacker.com/tech/subaru-hack-exposed-security-flaws
[7] https://daxstreet.com/news/241050/millions-of-cars-at-risk-subarus-tracking-system-and-its-security-flaws-revealed/
[8] https://www.techradar.com/vehicle-tech/hackers-expose-serious-subaru-security-flaws-that-allow-them-to-remotely-start-cars
[9] https://www.kbb.com/car-news/security-researchers-we-could-remotely-start-track-subarus/
[10] https://arstechnica.com/cars/2025/01/millions-of-subarus-could-be-remotely-unlocked-tracked-due-to-security-flaws/
