Security researchers have uncovered a major vulnerability in Subaru's Starlink connected services system that could have allowed unauthorized access to vehicle locations, door locks, and other critical functions.
Penetration testers Sam Curry and Shubham Shah identified serious security flaws in Starlink's administrator console that enabled potential hackers to compromise Subaru employee accounts and gain administrative system access.
The discovered vulnerability exposed extensive vehicle data, including up to one year of location history tracking and remote control capabilities like locking and unlocking doors. The security gap affected Subaru vehicles across the United States, Canada, and Japan.
The researchers found they could access the admin portal by exploiting weaknesses in the password reset process for employee accounts. After determining Subaru's email address format, they bypassed security measures to gain unauthorized entry. Access to individual vehicles only required a Vehicle Identification Number (VIN), which could be obtained from license plate records.
Following responsible disclosure practices, the research team notified Subaru of the security issues in November. The automaker responded swiftly, implementing fixes within 24 hours of notification.
While this specific vulnerability has been patched, the discovery raises broader concerns about potential security gaps in connected vehicle systems. The incident highlights the growing cybersecurity challenges faced by automakers as vehicles become increasingly connected.
The researchers emphasize that any Subaru vehicle with visible license plates could have been compromised through this security flaw before it was fixed. Though resolved quickly, the incident serves as a reminder of the ongoing security risks in modern automotive technology.